Authenticity of Data


Authentication procedures will be used in a wide variety of contexts in Internet electronic commerce. For web sites that simply disseminate information, no authentication procedures may be required at all unless restrictions are to be placed on who may access the information. In order to control access, password protections may be placed on certain sites. However, in order to engage in Internet commerce where parties enter binding contracts over the Internet, passwords are an inadequate means of verifying identity. The Internet can be used as a medium of communication between parties who wish to enter into contracts. The parties themselves will determine whether they are willing to rely only on information that is provided through contacts over the Internet, or whether the Internet will be used merely to supplement the current means of communication in business transactions, such as telephone, mail, and fax. Security arrangements will be least problematic where the parties have already a business relationship and are merely adding the Internet as a new channel for communications.[1].

For parties wishing to solicit new business over the Internet and enter into binding contracts with parties known to them only through online contacts, security concerns are dramatically greater and much harder to resolve.

EDI has been in use since the 1970s for business-to-business communication. Businesses that exchange information using paper forms can design communication systems that permit the computers in each business to exchange electronic messages in a format that can be interpreted within each system. Data is communicated using standardized formats that permit the messages to be sent in highly condensed forms. Many businesses are in the process of integrating Internet access into their existing computer systems, for example to build corporate "Intranets" that distribute information within the organization and exclude public access or to build web sites to advertise their services.

In early discussions of the design of open Internet electronic commerce models, there was discussion of the idea of a "universal certification authority" that would bind the identity of a person to an online identity for all purposes. The idea was that individuals would not be burdened with remembering dozens of different passwords or carrying around dozens of different tokens to establish their online identity. This idea was soon recognized as being too simple for several reasons. First, persons in the United States do not possess identity cards for purposes unrelated to online transactions, so the idea of establishing the online equivalent of national identity cards would be expected to meet with stiff opposition from civil liberties activists. Individuals would actually feel overly burdened by using different authentication procedures for different types of online transactions, given that most people use a variety of different authentication procedures today. Second, the certification authority would have the responsibility of establishing the identity of a natural person for all legal and business purposes

Companies that provide certification authority services are technology companies, not private investigators or even credit reporting services. As a result of these uncertainties, businesses interested in entering the certification authority market withdrew from the idea of a universal certificate. In 1996, Cylink Corporation was part of a widely publicized project with the United States Postal Service to establish a USPS certificate authority but the project is apparently cancelled.[2]

References

[1] American Bar Association Electronic Messaging Services Task Force, The Commercial Use of Electronic Data Interchange--A Report, 45 Bus. Law. 1645, 1650 (1990).[back to text]

[Hugdins-Bonafield], Postmark Misses the Mark, Network Computing, Apr. 1, 1997, at 60.[back to text]