One enduring cartoon shows a dog at a PC, with the punch line "On the Internet, nobody knows you're a dog!" Behind the joke is a serious message: the biggest questions raised by the growth of the Internet relate to trust and privacy. Can my Internet bank be sure that I am me and not the mutt?
When customers deal with a bank over the Net, they can have reasonable confidence that the site they go to does in fact belong to the bank. Technology does not allow the bank to be so sure of their identities. Hence the rigmarole of passwords and PINS. Even with this, the small print of a customer's contract with the bank will usually have a clause saying in effect: "If anything goes wrong with this, it's your fault". In reality, there is a good chance that a bank will not enforce this clause if a crook impersonates the customer and cleans out their account. What will happen, though, when half of all banking is done over the Net? Before we get to that stage, there will have to be mechanisms to allow a bank to be as sure of a customer's identity as if the customer was standing in a branch. That way, a customer could not later repudiate online transactions.
As well as "bank" and "customer", of course, similar questions of trust and identity arise between student and college, or patient and doctor, or business supplier and purchaser. As more and more of our interaction happens online it becomes increasingly important to be sure who we're dealing with.
The technology to let this happen exists today in public key infrastructure (PKI) encryption. This is what Bertie Ahern and Bill Clinton used to digitally sign a document last year.
PKI relies on an individual holding the private key of a digital certificate that identifies the user with the same reliability as a passport. Typical implementations of PKI at the moment store keys and certificates on PCs, however, making them far more cumbersome than a passport. Smart cards could make digital IDs portable enough for a world where Internet access is everywhere and the Net is the standard way of doing business rather than the exception. But a machine-readable card that is required for all sorts of personal, professional, financial and political (voting with it would be a natural extension) transactions has enormous potential for "big brother" abuse.
This is the point at which governments can intervene with legislation that provides for digital IDs, but at the same time protects citizens' privacy. Ireland could gain a lot by becoming PKI-enabled. Online transactions are by their nature much faster and more efficient than personal or paper ones. Even small efficiency improvements in areas like social welfare payments or administering EU funds, could save millions of pounds.
Guaranteed authentication and the assurance that neither side could renege could also permit large-value, complicated transactions to move online. This will be required to lubricate international trade growth in the next few years.
The Government knows this and wants Ireland to become a leader in European e-commerce. A round of consultation on outline legislative proposals on electronic signatures and certificates has just closed, with draft legislation expected soon.
It is to be hoped that the Government has the confidence to introduce a Bill that will give a clear and unequivocal "go for it" message to business and its own agencies. If the job is done well, then everyone will understand exactly what needs to be done. Technical standards will be set and it will be made clear what types of transaction will need to be electronically signed.
A mark of strong legislation would be the establishment of an Irish Certificate Authority (CA) to issue and guarantee digital IDs, rather than a mechanism to license or accredit other CAs. This would allow the Government to set policy on the use of the certificates issued nationally.
If people cannot trace the "path of trust" back to the State it may greatly inhibit the adoption of certificates and digital signatures. Strong legislation should also mean strong encryption, however, without any built in "key recovery" provisions to allow state snooping on electronic transactions.
On the other hand, poor legislation could be a nightmare. Indefinite rules on encryption standards, for example, could give rise to legal cases of such technical complexity that they would be in the courts for years.
Of course there is nothing wrong with being a dog on the Internet - as long as the party your dealing with knows, with legal certainty, that you are a dog and that your name is Fido.
Paddy Keenan (paddy.keenan@ch.unisys.com) is a senior IT security consultant with Unisys (JLS)