7.24 General commercial incentives to change internet architecture

So far we have been focusing on the cable and telecommunications companies and the entertainment industry in our look at Lessig's counter-revolution. Now we need to think about commerce more generally. What kind of architecture or code layer does any business need in order to be able to do business reliably via the internet?

Well, in order to generate confidence and trust in business transactions and to encourage the growth of internet commerce, such an architecture would need to include:

  • authentication – you are who you say you are;

  • authorisation – you have the authority to spend £x or $y;

  • privacy – in communication;

  • integrity – transmission not altered en route (someone receiving the message should be able to check whether it has been interfered with);

  • non-repudiation – you can't deny it was you who committed to the deal.

Essentially, business needs architectures of identification. In the real world we can tell something about people through looking at them and knowing them or their reputation as part of a community. We can, for example, tell whether or not someone is a child, with a reasonable degree of confidence, just by looking at them. Hence we can make a judgement about whether to sell cigarettes to someone, having made a reasonable assessment about whether that person is legally old enough to buy them. What we don't know needs to be verified through documents like driving licences and passports, as well as trusting to some degree what people tell us.

On the Net, things are different. There is no equivalent to sizing someone up when we see them; and on the basic network there are no universally deployed driving licences or passports to help us learn about the users. This is changing. AOL – with e-wallet and related authentication services, Microsoft – with ‘Passport’ and ‘Next Generation Secure Computing Base’ (previously ‘Palladium’), and the Intel-led Trusted Computing Group (previously called the Trusted Computing Platform Alliance) are among those attempting to drive the change.

If doing business depends on trust, which itself depends on identity, certification of identity and a relationship built up overtime, then cyberspace gives commerce a problem. Therefore, ordinary businesses – not just the big entertainment, cable or software companies – have incentives to do something about the identity problems thrown up by the Net. They have incentives to support industry initiatives which will lead to a more business-friendly architecture or code layer.

There are three architectures of identification with which you may be familiar:

  1. Password and account name. You need a password and account name to get into your online banking system, for example.

  2. Cookies – small files that get entered into your computer's memory when you visit some websites.

  3. Digital certificates – an online passport that verifies that you are who you claim to be and contains lots of certified facts about you. Digital certificates depend on cryptography.

"The internet isn't free. It just has an economy that makes no sense to capitalism."

(Brad Shapcott)

Further reading:

  • Cambridge University security expert Ross Anderson has compiled a comprehensive set of frequently asked questions on Palladium and TCPA, which also touches on digital rights management (DRM).

  • Seth Schoen's trusted computing. Note: you'll need to scroll down the page a little to get to the relevant bit.

  • Edward Felten's armoured car analogy on DRM.

  • There is a useful website, CookieCentral.com, that explains everything you need to know about cookies.

7.23.1 Chapter 10 summary

7.25 The implications for privacy of changes in architecture