The Electronic Transactions Ordinance (ETO) was enacted in Hong Kong on 5 January 2000 and came into force in April 2000. As this is a fast-changing field, the Information Technology and Broadcasting Bureau (ITBB) is conducting a review and is now invite public views on their proposals as well as comments on any other aspects of the ETO. The public consultation document is available.Comments should be sent to the ITBB by 30 April 2002. In the interests of promoting open debate on this important legislation, Allan Dyer offers some comments:
One of the suggestions is considering whether legal recognition should be extended to cover other forms of electronic signatures, in addition to digital signature, in order to stimulate e-business development. In the ETO, an electronic signature is any symbols adopted for the purpose of authenticating or approving an electronic record, and a digital signature is a subset of electronic signature that uses an asymmetric cryptosystem and a hash function I consider that extending legal recognition to any forms of electronic signature that are less robustly secure than digital signatures would be a step backwards and would discourage e-business development. Digital signatures offer a high level of integrity, authentication and non-repudiation that other current technologies cannot match. Increasing computing power has made digital signatures feasible on most current computing platforms; in the near future even small handheld devices will be able to perform digital signing in an acceptable time. Security fears are often cited for reluctance to adopt e-business. New technologies "take off" when a critical mass is reached. Recognition of other type of electronic signature would merely reduce the security and fragment the market, with a negative effect on e-business development. A major advantage of Digital Signatures is that a single Private Key can be used for signing everything - once a user has enrolled and got their Certificate for one purpose, they can use it for every other service that supports Digital Signatures without further enrolment. Thus, once a person starts using a Digital Signature, they will want to use it for everything, and the effect snowballs. This is not to say that the ITBB should not consider new technologies in future, just that offering a "choice" of using older, weaker, more flawed technologies will not encourage e-business development. Digital Signatures are the best available technology for electronic signatures today, and there is no reason to encourage adoption of less suitable systems.
Connected with the consideration of weaker forms of authentication, the ITBB recommends, "We, therefore, consider that there is a case for the ETO to be amended and a new schedule added so that the Secretary for Information Technology and Broadcasting (the Secretary) may, by subsidiary legislation, specify in the new schedule legal provisions under which the use of PIN will be accepted for satisfying the signature requirement." Specifically citing the Electronic Service Delivery Scheme as a case where there is already established relationship between the parties involved and strong encryption services for data transmission are used, thus making the level of security commensurate with the risk of the service involved. However, although ESD booths may be secure in themselves, most people nowadays are suffering from "PIN/password overload" and, in a misguided effort to cope, are re-using passwords in different security domains (i.e., using the same password whenever they are required to choose one). Thus, an attacker could harvest passwords from an insecure online service (or might be the legitimate owner of a website using passwords), and then attempt to use those passwords at ESD booths with a reasonable proportion of successes. This is an interesting example of the weakest link determining the overall security - although the booths are secure, the user's management of their multiple passwords is flawed, making the system vulnerable.
Of course, Digital Signatures are not susceptible to this weakness - even though the same key-pair is used in both situations, the attacker cannot get the private key necessary for beating the authentication at the ESD booths. In fact, Digital Signatures offer an escape from "password overload", which is an excellent reason for promoting their widespread use.
One of the applications where the ITBB suggests a PIN might be suitable is for Tax Return submission, but there is no evidence that a PIN option would encourage more electronic submissions. I did not use my eCert to sign and submit my tax return because I could not make a joint submission, changing to a password scheme would not help this.
The ITBB also looked at biometrics and concluded, "We, therefore, consider that other means of authentication including biometrics should be examined at a later stage when they become more mature, and when related institutional support emerges in the market." Biometrics are an excellent means of authentication where there is a trusted reader, which makes them generally unsuitable for e-business, I discussed this at greater length in an earlier issue of this newsletter.
I see that the key enabler that legislation can provide to encourage greater adoption of e-Commerce is a secure standard. A confusion of stronger and weaker electronic signature options will merely fragment the marketplace, and confuse consumers. This can be compared to cash - the Government sets the standard, and traders decide on whether they have a till, or a vending machine or whatever.