An edited version of this paper appeared with the title "Catch My Drift? Can you define "digital signature" in non-technical terms? The future of e-commerce law may depend on it." in the September 1999 issue of Information Security Magazine.
In May of this year, Vermont became the last U.S. state to enact computer crime legislation. When I first testified about the proposed law in 1997, I was asked to define words such as "server" and "network." I wasn't being asked for either a legal or formal definition; the questioners really had no clue as to what these things were, how they related to Vermonters and the Internet, and why new legislation was being proposed to protect them ("Don't we already have trespass laws?"). The experience was an introduction to the hurdles that face state and national legislatures as they grapple with the legal framework necessary for the future of cryptography and, ultimately, electronic commerce.
Language is a wonderful tool for communication. It can also be a significant hindrance. As children, we think in visual terms. But from the day we learn how to speak, most of our creativity is channeled into the spoken word. And the words that we know limit the very images that we can conjure and directly affect the way in which we understand and imagine things.
Most people who use the Internet cannot describe the basics about the network. What is the Internet? How does the Internet differ from the Web? Who is in charge? Unfortunately, the bodies attempting to regulate and create laws affecting the Internet don't truly understand the network very well either, which must be why regulators, legislators, and even the players themselves often talk about the Internet in terms of the telephone network; the latter conveys images that we understand.
Understandable images are essential to selling products and ideas. The market success of "56 kbps modems," for example, has less to do with consumers understanding the technology than it does with them being comfortable with the words describing devices that are neither 56 kbps nor modems. But the words correctly and simply convey that this was just the next step in an evolution, and that is really what we want them to know.
What we know drives our decisions. A 1997 study showed that 68% of surveyed Fortune 100 executives thought that the Internet was controlled by a corporation, many thinking that it was part of Microsoft. If this is your knowledge base, consider the decisions that you are likely to make.
Although laws have always lagged behind technology, the Internet has demonstrated an unprecedented rate of change and its users an incredibly fast rate of adoption of new technologies. The rapid commercial growth of the Internet that began more than seven years ago is today largely fueled by e-commerce, which will require cryptography and other mechanisms to provide privacy, authentication, message integrity, and trust to achieve widespread acceptance and success. And these mechanisms require procedures and policies and law, which is what the digital signature legislative efforts at the state and national levels is all about.
What images, though, are conjured up by the phrase "digital signature"? Some people think of a fax document with a signature on it. Others see a Word document with an embedded graphical image of a handwritten signature. Still others think of certificates that bind an identity, a public key, and a certificate authentication chain.
And what words describe the underlying technology to the regulators, legislators, and users? Secret key cryptography. Hash functions. Public key cryptography. Key length. X.509. Certificates. Certification authority. Certification practice statement. Certificate revocation. The language (our "jargon") that so clearly conveys images to us in the field causes nothing but confusion (and possibly a sense of condescension or elitism) to those outside. It is easier (and politically more visible and popular) for regulators and the public to concentrate on key escrow and "keeping cryptography out of the hands of criminals" than to understand the technology well enough to develop the proper legislation.
We have to get past the regulation of the technology so that we really can address the national and international policy issues. After all is said and done, cryptography and digital signatures are not ends unto themselves but are the enablers of e-commerce and emerging electronic businesses. While good laws and policies are necessary for the future of Internet-based commerce, they are not sufficient. The prize is not doing away with key escrow; the prize is unfettered, safe electronic commerce.
Policies are not laws and neither drive technologies, although all are related. The challenge for us is to use language as a bridge between these different objectives.
Gary C. Kessler (firstname.lastname@example.org) is a senior network security analyst at SymQuest Group, a network integration consulting company in South Burlington, VT.