Select Committee on European Union Written Evidence

Memorandum by Professor Harold Thimbleby, Middlesex University, London

What needs to be done to create confidence and to stimulate e-commerce?


1.  Regulatory uncertainty and personal worries over privacy are factors undermining confidence. Personal worries over privacy focus much debate underlying regulatory concerns. Trust needs to be encouraged between e-commerce parties (on short-term issues) and between investors and regulators (on long-term issues).

  2.  Abuse of personal privacy, say, by using cryptographic techniques to conceal unlawful activities, is of concern. Unfortunately the techniques that can be used by criminals are techniques that can be used fore-commerce. Inevitably, companies that sell CDs securely will be able to sell seedy products securely.

  3.  Keep regulation in perspective. Although roads can be used by both good and bad people, good drivers are only very exceptionally hindered by road blocks. Unlike roads, e-commerce is based on new technologies that have not been fully developed. Imposing "road-blocks" is likely to be premature over-reaction.

  4.  Privacy is not an issue so much as building up trust—as it were, most effort should be put into encouraging good driving rather than concentrating on bad drivers. When parties can trust each other, intrusions of privacy are secondary. Trust can be built up by degrees, and depends on (i) the certain identification of the parties concerned (ii) the ability to locate the parties in the future (iii) the possibility of sanctions that can be imposed outside of the relationship. In the physical world, these factors are taken for granted. In the virtual world, we have become accustomed to anonymity. Thus hackers can easily cause havoc that cannot be traced back to them: they have no identities—and this is what vandals conventionally relish. Trust is a new concept on the Internet.

  5.  Because of widespread anonymity (eg where do cookies come from?) people tend to over-react and emphasise privacy as a protection. Partially; but identity is required. If we knew where the cookies came from, and could in principle get back to their originators, impose sanctions on them, and so forth, trust would be built up.


  6.  Identity can be ensured within any nation state by a physically-based registry (eg employing key escrow connected to IDs). The Internet is far bigger, and solutions that depend on single nation, centralised, databases will be of limited value. Moreover political culture from nation to nation will undermine each nation's "rational"—but culturally specific—safeguards.

  7.  Strong cryptographic techniques, such as zero knowledge proof (I can prove I know something without revealing the knowledge) and key exchange (I can exchange keys with no third party knowing them) require the use of methods that are subject to regulation. It should be said at once that these technologies are at their early stages of development.

  8.  Whilst debate focuses on privacy, the technologies that are required for trust will not be developed (nor will experimental solutions be tested).

  9.  The Internet (as currently based on TCP/IP) is inadequate; regulation based on its absence-of-trust mechanisms will be temporary. Technologies—not just legislation—requiring CPU IDs in packets, tamper-proof hardware, and so forth will be required. Without tamper-proof hardware it is easy to confuse trusted parties for trusted computers. So far—outside of very special situations—we have no trusted computers, and hence no trusted parties.

7 March 2000

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2000