These architectures in real space become invisible to us, but they are obviously constructs, and just as obviously they are expensive to construct. (This is the difficulty Russia faces now.) If e-commerce is to develop, we must erect equivalent architectures in cyberspace. Commerce will have to develop ways to provide vendors with sufficient security in online transactions while minimizing the burden of that security.

Again, the core of any such architecture will be tools of encryption and PKI. The core would permit the authentication of a digital certificate that verifies facts about you—your identity, citizenship, sex, age, or the authority you hold. And while we could erect an architecture of certification today—there are private certificate servers that we could use to issue certificates covering any conceivable fact—the system would not support e-commerce until these certificates were part of a general public key infrastructure that permitted secure and trustworthy communication with anyone on the Net. An architecture that contained all these elements would provide e-commerce with a security greater than the best security in real space. My view is that online commerce will not fully develop until such an architecture is established.

There are many plans for deploying this architecture.¹ Some imagine the government as the certifying authority; others imagine trusted third parties (like banks) in that role. Any number of paths are possible.² The key to all of these, however, is not that a government requires people to hold such IDs.³ The key instead is incentives: systems that build the incentives for individuals voluntarily to hold IDs. When architectures accommodate users who come with an ID installed and make life difficult for users who refuse to bear an ID, certification will spread quickly. [UPDATE NEEDED: CERTIFICATION AUTHORITIES HAVE DEVELOPED A LOT IN THE LAST FEW YEARS. I WROTE A SHORT COMMENT MENTIONING SOME OF THESE DEVELOPMENTS IN EUROPE AND SOUTH AMERICA IN ANOTHER PART OF THIS WIKI, BUT BASICALLY THE IDEA IS THAT CHAMBERS OF COMMERCE IN DIFFERENT PARTS OF THE WORLD, GOVERNMENT ENTITIES (LIKE TAX AUTHORITIES) AND BANKS HAVE CREATED THEIR OWN CERTIFICATION AUTHORITIES TO GUARANTEE SECURITY IN ELECTRONIC COMMERCE, PROVING IN PART PROFESSOR LESSIG'S POINT. Andres F Umana SLS

Cookies have spread in just this way. Because many people are concerned with the privacy implications of cookies, browsers have enabled users to choose whether to accept them. With one click, you can disable the deposit of cookies and so prevent the owner of a web site from selling information about you.

But this privacy comes at a cost. Users who choose this option are either unable to use areas of the Net where cookies are required or forced constantly to choose whether a cookie will be deposited. Most find the hassle too great and simply accept cookies on their machine.

We will see a similar development with digital IDs. Life will be easier for those who carry ID than for those who do not. Servers will make exchanges cheaper, or simpler, if data can be authenticated. Just as it is easier to accept cookies automatically, so too will it be easier to authenticate facts about yourself. Life in an authenticating world will be simpler for those who authenticate.

If the system spreads with incentives, then we can see why commerce is so good at spreading the system. Commerce has an incentive itself to increase the authentication and certification of transactions in cyberspace. And it is in a good position to give incentives to consumers. Incentives are commerce’s best tool of regulation, and commerce is fairly good at deploying them.

Nonetheless, there is room for skepticism. No doubt there will be significant hurdles for the community to overcome as competitors fix on standards that provide a sufficiently robust yet flexible exchange. No doubt there are lots of reasons to wonder whether this infrastructure of security can develop on its own. In my view, we can see enough to be confident that it is already developing: technologies that build encryption into the background of an application are becoming common; networks are rapidly integrating digital signatures; and a host of companies (called “certificate authorities”) now provide digital certificates.⁴

You do not have to believe in the invisible hand to be convinced that this infrastructure of trust is coming. Even if you doubt that private interests alone could achieve this coordination, another factor suggests that the character of the Net is about to flip. If commerce alone cannot succeed in establishing these architectures, government is in a strong position to bring about just the changes that commerce needs.

The government can help commerce. How it does so is the subject of the chapter that follows.

Footnotes

¹ See Richard L. Field, “1996: Survey of the Year’s Developments in Electronic Cash Law and the Laws Affecting Electronic Banking in the United States,” American University Law Review 46 (1997): 967, 988 (discussing a federal PKI steering committee to “coordinate efforts by executive agencies to use public key digital signature technology”); see also Baker and Hurst, The Limits of Trust, 275–83. Edit Delete

² See Donna N. Lampert et al., “Overview of Internet Legal and Regulatory Issues,” Practicing Law Institute/Patents, Copyrights, Trademarks, and Literary Property 544 (1998): 179, 220; see also Grant, Understanding Digital Signatures, 66–93. Edit Delete

³ In the United States mandated IDs are extremely rare. It was not until the late 1950s that citizens returning from abroad were required to carry a passport; see David Brin, The Transparent Society: Will Technology Force Us to Choose Between Privacy and Freedom? (Cambridge, Mass.: Perseus Books, 1998), 68. Edit Delete

⁴ There are many digital certificate vendors serving as certificate authorities. The more well-known include VeriSign (www.verisign.com), Thawte (www.thawte.com), Cybertrust (http://www.trusecure.com), Entrust (www.entrust.com), Frontier Technologies (www.frontiertech.com), and RSA Security  (http://www.rsasecurity.com). Some are tailored to a particular industry, such as TradeWave (www.tradewave.com), and some are region-specific, such as KeyWitness (www.keywitness.ca) in Canada and BelSign International (www.belsign.be) in Europe. Network Solutions has teamed up with VeriSign so that anyone who registers his or her domain name has an option to obtain a digital server certificate from VeriSign; see “Our Partners,” available at http://www.netsol.com/partners/ (visited May 30, 1999). For a more exhaustive list of certificate authorities, see “The PKI Page,” available at http://www.pki-page.org/. Edit Delete