The Internet Files

The network is the story: News on the latest Internet standards and struggles

July  1998
[Next story]
[Table of Contents]
Sun's Site

Mail this
article to
a friend
Internet Files index

Steps made in formation of new domain name organization

Paris (July 28, 1998) -- Charged with the task of coming up with a new global structure for the assigning and management of domain names, representatives from government, industry and academia fiercely debated the issues at a meeting in Geneva this weekend and finally came up with some basic agreements.

The meeting, second in a series of three sponsored by the International Forum on the Whitepaper, aimed to gather people interested in the domain name game in order to discuss the development of the "new IANA", or Internet Assigned Names Association, according to the Internet Society (ISOC), one of the sponsors of the free event.

"I am encouraged by the active participation of so many divergent, and formerly opposing forces," said Dr. Jon Postel, director of IANA, in an ISOC statement.

The way top-level domain names, such as .com, .org and .net, are assigned and managed came under fire two years ago when it became apparent to the growing worldwide Internet community that the U.S. government controlled almost the entire process. As it stands now, the U.S. government-funded Internet Network Information Center (InterNIC) registers top-level domain names, while another government-funded organization, IANA, maintains the technical architecture behind the names. Individual countries register their own domain names, such as .uk for the United Kingdom, but IANA and InterNIC handle the coveted .com and .net names.

Earlier this year, the U.S. government released a green paper suggesting that a new, U.S.-based organization be set up to handle the tasks of IANA, including the delegation of several new top-level domains. The international community quickly rejected the U.S.-centric plan, calling for a more global approach.

In return, the U.S. government issued a white paper in June that suggested that the private sector handle the task of creating a private, international organization to take IANA's place. Dubbed the New Organization, it would have to be put in place by Sept. 30, when IANA and InterNIC's contracts expire, the U.S. said. The New Organization would handle the creation and allocation of new top-level domain names, while private companies would compete to register the names for a fee.

The idea of the meetings to discuss the International Forum on the Whitepaper (IFWP) is to come up with a plan for the New Organization. The IFWP meeting took place last month in Reston, Virginia, the second took place this past weekend in Geneva and the third be held in Singapore on August 12-13.

While no major decisions were made at the Geneva meeting, some basic agreements were reached, ISOC said in a statement on its Web site. Specifically, steps were taken concerning the structure of the New Organization, the establishment of an interim board of directors before Sept. 30 and the relationship between trademarks and domain names.

"Discussions were constructive, sometimes heated, but the consensus demonstrated that the Internet community is very willing to self-regulate the industry," said one of the attendees of the meeting, Paul Kane, general manager of Nic.SH and Nic.AC, private registrars of country code top-level domain names based in the U.K.

This interim board, for which nominations are now being sought, will be replaced by a permanent one before Sept. 30, 2000, agreed the participants. The board will work with special councils set up to deal with certain issues, such as names and number assigning and protocols. These councils will make proposals that will then be subject to the approval of the board.

But it wasn't all rosy agreement at the Geneva IFWP meeting. Discussions were heated between those worried about trademark infringement vs. those interested in becoming registrars of new generic top-level domains, said one meeting attendee who asked to not be identified. The registrars want many new domains to join .com and company, while trademark watchers think this will create a lawsuit nightmare.

Some of the chairs of the meeting included Ira Magaziner, senior advisor on U.S. Internet policy to President Clinton, IANA's Jon Postel, Christopher Wilkinson of the European Commission and Michael Schneider, vice president of EuroISPA, a European Internet service provider organization. More than 300 people participated in the Geneva meeting.

A final consensus won't come until sometime at the end of September, but most are confident that the IANA and other interested parties can come up with a plan in time.

"I am optimistic that industry will get the New Organization formed by Sept. 30," said Ira Magaziner last week at the INET '98 conference in Geneva, which preceded the IFWP meeting. "I believe the private sector is moving toward an agreement."

--By Kristi Essick, IDG News Service


Vinton Cerf says it's time for outer space Internet

Geneva (July 22, 1998) -- Computer chip implants and talking refrigerators may not be a great stretch for technophiles with their eyes on the future, but an interplanetary Internet that connects Pluto to Mars?

In addition to predicting advances in bio-electronics and networked appliances in the early part of the next century, Vinton Cerf, one of the inventors of the Internet and a senior vice president at MCI Communications Corp., said here today that the U.S. government is hard at work on an Interplanetary Channel Protocol that will allow the Internet to be extended out into the solar system.

"The time has come to think beyond the Earth," Cerf said in a keynote speech here this morning. In several years, the scientific community will have the technology to create an "Internet that is out of this world," he said.

By combining TCP/IP with communication protocols developed by NASA, it will be possible to build interplanetary "gateways" that allow data to flow over an outer space Internet, Cerf said, visibly excited by the idea. When data flow from the regular TCP/IP network to one of these gateways, they will be translated into a protocol that allows them to travel great distances between planets, he said.

The idea of a computer on Mars communicating with one on Earth isn't just a fantasy, Cerf said. Right now, the U.S. government is preparing a satellite device that will be left behind on its next mission to Mars, which will act as one of these Internet gateways, he said. On August 3 or 4, the Jet Propulsion Laboratory in the U.S. will announce news in this area, Cerf said.

Anyone who thinks an interplanetary Internet sounds like science fiction would do well to think back to 1993, when no one had heard of the World Wide Web, Cerf said. Today, there are 1.5 million Web sites and 75 percent of the traffic carried on MCI's backbone is Web-related -- impossible to have predicted five years ago, he pointed out.

In fact, those that think the Web is the killer application of the Internet protocol are short-sighted, Cerf said. Any day another application could come along that will make the Web irrelevant, he said. "There may yet be another golden egg to drive traffic on the Internet," Cerf said.

While an Internet in space is an intriguing prospect -- considering it could be used to relay data to and from Earth to other planets in a move to better understand the solar system -- Cerf admits that bio-electronics are perhaps the most interesting technology that will appear in the next decade in terms of usefulness to the average person. From chips embedded in an ear that allow deaf people to hear again, or a wearable device that transmits warning signals to the wearer and her doctor, advances in bio-electronics will change the way we live on Earth, Cerf said.

--Kristi Essick, IDG News Service

U.S. FTC, private sector offer remedies for online privacy

San Francisco (July 21, 1998) --- The U.S. Federal Trade Commission and an alliance of businesses and associations today presented two separate proposals for protecting consumers' privacy online, with the industry group arguing that the measures are sufficient to make further government regulation of the Internet unnecessary.

Along with the FTC, Christine Varney, a former FTC commissioner and adviser to industry body the Online Privacy Alliance which includes Microsoft Corp. and America Online Inc. among its members, presented the proposals this morning to a U.S. House Subcommittee holding hearings on electronic commerce and privacy.

FTC officials said that while they remain hopeful that government regulation can be avoided, the private sector must demonstrate that its program has been implemented and widely adopted by the end of the year. Otherwise, "additional government authority in this area would be appropriate and necessary," FTC officials told the committee, according to an agency statement.

At the center of the debate is the need to protect information submitted by consumers online -- be it credit card numbers, health information or a simple telephone number. Most observers agree that some form of additional measures needs to be taken to protect the public data from misuse; at issue is who should control what steps are taken.

The Online Privacy Alliance aims to keep regulation within the private sector. Its plan calls for the formation of "objective third parties" who would ensure that Web sites comply with certain principles of conduct laid down last month by the alliance. The third parties would also be required to ensure that a mechanism is in place that would allow consumers to file complaints when violations are found.

The third parties would award identifiable "seals" to Web sites, signifying to consumers that the operator of the site conforms to the alliance's privacy principles. Those guidelines include letting people know what will be done with the personal information they submit, and prohibiting Web sites from collecting information from children under 13 without parental consent.

At least two such seal programs exist today, operated by Truste and the Better Business Bureau (BBB Online), Online Privacy Alliance adviser Varney said. Many alliance members are already part of one of these two programs and others plan to use these or similar programs soon, Varney said in a teleconference discussing the proposal.

But critics say self-regulation has proven itself insufficient to protect the privacy needs of consumers. To protect consumers' rights, they say, the U.S. Congress should enact legislation enabling the FTC to craft baselines for protecting privacy during commercial interactions.

"We believe that, on its own, self-regulation will fail to provide meaningful privacy protections for individual privacy," Deirdre Mulligan, of the Center for Democracy and Technology, said in testimony before the committee today, according to a CDT statement.

Just last month the FTC issued a report on Internet privacy which lambasted the online industry for failing to encourage voluntary adoption of even the most basic online fair information practices

Acknowledging that there have been several promising self-regulatory initiatives in recent months, FTC Chairman Robert Pitofsky said considerable barriers must be surmounted for self-regulation to work.

The FTC today presented the committee with a legislative model that it says should be enacted before the end of the year if the private sector's proposal does not prove successful. Under the proposal, all commercial Web sites that collect personal information online would be required to comply with four basic practices:

"The implementation of these practices will vary by industry and with technological developments," FTC officials told the committee. "For this reason, the Commission recommends that any legislation be phrased in general terms and be technologically neutral."

The FTC's proposals are not that different from the principles proposed by the Online Privacy Alliance. The difference is that the FTC would force Web sites to comply, while the alliance hopes that Web site operators will comply based on their own self interest -- because doing so will earn them a recognizable "seal of approval" from one of the third-party validators.

In addition to crafting federal laws to protect privacy, the CDT said the industry should look to technologies that protect privacy, such as anonymizers and P3P -- the Platform for Privacy Preferences. Such technologies may be effective across the global and decentralized environment of the Internet, where law or self-regulation may fail, CDT's Mulligan said.

Development of such privacy enhancing programs will require the U.S. Congress to loosen its current encryption policy, which is "interfering with the availability of technical tools that protect privacy," Mulligan said.

The Online Privacy Alliance's next step is to wage a public information campaign to inform consumers how the seal program works, and to encourage businesses and associations to comply with it, Varney said.

The FTC, meanwhile, will be monitoring its progress.

Online Privacy Alliance members include American Advertising Federation, American Electronics Association, America Online Inc., Apple Computer Inc., AT&T Corp., Bay Networks Inc., Cisco Systems Inc., Compaq Computer Corp., Dell Computer Corp., Direct Marketing Association, European-American Business Council, Hewlett-Packard Co., IBM Corp., Lucent Technologies Inc., MCI Communications Corp, Microsoft Corp., Netscape Communications Corp., Oracle Corp., Sun Microsystems Inc. and Time Warner Inc.

--James Niccolai, IDG News Service



U.S. govt's encryption standard cracked in record time

Boston (July 17, 1998) -- Researchers using a supercomputer built for $250,000 have broken the government's data encryption standard (DES) in less than three days, and in a press conference today warned that their ability to crack DES suggests that terrorists and other miscreants undoubtedly also find it ridiculously easy to unscramble encrypted data.

Government officials and some industry experts have said that it would take millions of dollars to build a supercomputer powerful enough to crack DES encyption code.

The encryption-breaking research was conducted as part of the RSA Laboratory's DES Challenge II contest and was spearheaded by the Electronic Frontier Foundation (EFF), non-profit civil liberties organization that deals with Internet privacy and security issues.

"We would like the government to finally admit that DES is not secure and to encourage stronger cryptography," said Barry Steinhardt, EFF president. The government has contended that it is not possible to build a computer that can break DES without enormous expense.

The EFF DES Cracker, as the supercomputer is called, was designed to break 56-bit encrypted code in record time. It accomplished that -- the previous record was 39 days using a huge network with tens of thousands of computers.

The U.S. government restricts exportation of technology beyond 40 bits and the researchers intended to show that even encryption that is stronger than that can be busted. Such security issues are likely to become greater as the cost of building supercomputers capable of breaking DES become less expensive, the researchers said.

"I could easily see where someone could do this as a (school) science fair project in four or five or six years," said John Gilmore, leader of the EFF code-breaking project and co-founder of EFF.

It took Gilmore and Paul Kocher of Cryptography Research Inc. just 56 hours to figure out the key needed to read scrambled data, trying about a quarter of all of the possible key combinations. The researchers contend that ability debunks the government's arguments in favor of key recovery technology, which calls for a third-party to hold the "keys" to unscramble encrypted data.

"I believe that strong cryptography is the only way to protect ourselves," Kocher said at the press conference, where various of the code-breaking participants said that they believe that foreign governments, such as China, undoubtedly are routinely unscrambling encrypted data sent over the Internet.

DES is used in between one-third and one-half of the market for encryption products, according to data cited by EFF. Financial institutions tend to rely on the standard as does the satellite communications industry.

Those who use DES have long been aware of its potential to be cracked because they run risk assessments, researchers said today.

The team that built the DES-busting machine has not heard from the government regarding the successful unscrambling.

A background document about the EFF DES Cracker can be found at

--Nancy Weil, IDG News Service

13 companies support encryption alternative

San Francisco (July 13, 1998) -- 13 U.S. IT companies are backing encryption technology allowing a network operator to access private information at the behest of law enforcement agencies -- an alternative to the controversial key recovery method and a way that the firms contend will break the current deadlock over network encryption.

The U.S. government so far is limiting the export of strong encryption for national security reasons, a rule opposed by U.S. IT companies which they say puts them at a competitive disadvantage.

The initiative is being led by networking giant Cisco Systems Inc., and has support from Ascend Communications Inc., Bay Networks Inc., 3Com Corp., Hewlett-Packard Co., Intel Corp., Microsoft Corp., Netscape Communications Corp., Network Associates Inc., Novell Inc., RedCreek Communications Inc., Secure Computing Corp., and Sun Microsystems Inc.

10 of the 13 companies which announced the initiative today have applied -- or will apply by the end of the week -- to the U.S. Department of Commerce for licenses to export strong encryption products using the so-called "operator-action" technology.

The operator-action alternative to key recovery, uses what is called a "private doorbell" to enable law enforcement agencies to gain access to encrypted information provided the agencies obtain a court order.

Key recovery encryption requires users to provide "keys" to encrypted data to law enforcement agencies, which then can unlock the coded data if the need arises. That method is under heavy fire from privacy rights activists and also has impeded exportation of U.S. encryption products to some countries that object to the use of keys.

Under the "private doorbell" method proposed today, data transmitted over a network is encrypted at routers through which the data is passing and remains private until law enforcement agencies serve the network operator with a warrant or court order to unlock the information. The network administrator would then capture data sent by the targets of the court order and make it available in unscrambled format. The electronic wiretap only applies to data being passed through routers now and not to information that was previously sent.

The group's proposal aims to give law enforcement agencies the means for placing a digital wire tap on information being passed through routers -- the Internet's equivalent to the post office -- in the same way that these agencies today are able to place a wire tap on telephone conversations, spokespersons for the group said today.

The initiative is built on existing laws and applies them to the world of digital data, said Dan Scheinman, vice president of legal and government affairs at router maker Cisco, one of the key companies backing the initiative.

Compared to the much debated key escrow or key recovery schemes, operator-action, if accepted by the U.S. government as a workable solution, could be implemented faster as it requires less technology.

"This solution eliminates the need to build a key recovery infrastructure," said Doug McGowan, director of Hewlett-Packard Co.'s VerSecure products.

However, being a network layer solution, the operator-action proposal does not provide for encryption at the desktop level or for the encryption of data stored on servers or desktop or mobile computers.

"This represents our best thinking in terms of the networking problem," Cisco's Scheinman said. "Our customers are screaming for encryption in routers. They want to build it into networks, and if we don't have a policy for supporting it, we can't sell our products which means someone else will sell them instead of us."

As far as encryption of stored data is concerned, the IT industry -- which on the whole favors relief from current export restrictions on strong encryption -- still needs to develop creative alternatives that address the concerns of both privacy rights advocates and the government.

"This is not a complete solution, but one step into the right direction," said Kelly Blough, vice president of government affairs at Network Associates.

Compared to key recovery or key escrow approaches to strong encryption, the operator-action method could be built into existing products in a "matter of months, as opposed to years," Cisco's Scheinman said.

A 1996 executive order from U.S. President Bill Clinton established guidelines for the exportation of key management infrastructure encryption products, which was followed by an amendment from the U.S. Commerce Department's Bureau of Export Administration. The amendment covered key escrow or key recovery products. Since then, debate over exportation of encryption products has focused on key management technologies. But a white paper on the issue published by Cisco today notes that a less widely known aspect of the U.S. Commerce Department's rule allows that "other recoverable encryption products" may be licensed for exportation.

The IT companies contend that operator-action technologies, which allow a network operator to provide information to law enforcement agencies that present warrants or court orders, fit that bill. While the alternative isn't perfect, it goes a long way toward appeasing both those who operate electronic commerce sites and consumers who want to be certain their private information is encrypted as it travels over data networks, according to the companies involved in the operator-action initiative.

Law enforcement agencies, notably the National Security Administration (NSA) and the Federal Bureau of Investigation (FBI), have pushed for strong regulation on U.S. exports of encryption products and for technologies that enable law enforcement agencies to access encrypted data. They argue that terrorists and other miscreants will use encryption to avoid detection, plotting crimes via Internet communications. Moreover, strong encryption is needed to keep criminals from accessing private information such as credit card numbers traveling over data networks during e-commerce transactions, according to law enforcement agencies.

Initial reaction from some government agencies and policy makers has been positive, Cisco's Scheinman said.

"The reaction of the FBI has been very positive and they think it is a very workable solution," Scheinman said. He added that the NSA remains less convinced since it believes that operator-action would make its tasks more difficult.

The NSA and FBI could not immediately be reached for comment.

The operator-action group also said it would not sell its products to users in the government or military sectors of countries on the U.S. Department of Commerce's Tier 3 list. The list includes nations to which the U.S. applies special export restrictions or rules.

The countries that are included in Tier 3 are Afghanistan, Albania, Algeria, Andorra, Angola, Armenia, Azerbaijan, Bahrain, Belarus, Bosnia and Herzegovina, Bulgaria, Cambodia, China (People's Republic of), Comoros, Croatia, Djibouti, Egypt, Estonia, Georgia, India, Israel, Jordan, Kazakhstan, Kuwait, Kyrgyzstan, Laos, Latvia, Lebanon, Lithuania, Macedonia (The Former Yugoslav Republic of), Mauritania, Moldova, Mongolia, Morocco, Oman, Pakistan, Qatar, Romania, Russia, Saudi Arabia, Serbia and Montenegro, Tajikistan, Tunisia, Turkmenistan, Ukraine, United Arab Emirates, Uzbekistan, Vanuatu, Vietnam, and Yemen.

Cisco's Scheinman also noted that key U.S. Congressional leaders have endorsed the IT group's proposal.

In its white paper on the issue published today, Cisco points to other advantages the operator-action technology may have.

"Some customers also have indicated that operator control of encryption flows is a useful feature for network diagnostics and reporting, and for allowing the efficient transmission of non-sensitive data," the Cisco paper said. "Customers in regulated industries, such as banking and securities, also may need to monitor their employees' communications from time-to-time. Most customers also desire the ability to respond to a court order without exposing all of their data across the Internet or the public switched telephone network."

--Nancy Weil and Torsten Busse, IDG News Service


Professor to appeal landmark encryption export ruling

San Francisco (July 8, 1998) -- Law professor Peter Junger said today that he will appeal a court ruling in favor of the U.S. government that rejected his argument that trade laws limiting the export of encryption software violate his constitutional right to freedom of speech.

Although the ruling handed down last Friday favors the U.S. government's controversial limits on export of encryption software, the opinion is in complete contradiction to another ruling in a very similar case currently being appealed, which Junger said should help his legal team to define the legal strategy as the case proceeds.

"Of course I disagree with the court's opinion, but it is a very clear, well-written opinion that structures the case nicely for us and eliminates some aspects of confusion," Junger told the IDG News Service today. "Ultimately, though, the court made a glaring mistake when it held that software is some sort of device."

Judge James Gwin of the U.S. District Court for the Northern District of Ohio on Friday ruled that existing export restrictions do not violate Junger's constitutional right to free speech -- commonly referred to in the U.S. as the First Amendment rights -- contending that computer programs are not writing but devices that are "inherently functional."

Junger, a law professor at Case Western Reserve University in Cleveland, brought the case against the U.S. Department of Commerce last year to enjoin the enforcement of export regulations on encryption software, which prevent him from publishing his class materials and articles for a course on Computing and the Law on the Internet because they contain some encryption programs.

Junger says encryption programs are writing and thus entitled to the full protection of the First Amendment.

However, Gwin disagreed.

"Among computer software programs, encryption software is especially functional rather than expressive," Gwin wrote in the 32-page ruling. "Like much computer software, encryption source code is inherently functional; it is designed to enable a computer to do a designated task. Encryption source code does not merely explain a cryptographic theory or describe how the software functions. More than describing encryption, the software carries out the function of encryption...In doing this function, the encryption software is indistinguishable from dedicated computer hardware that does encryption."

Junger and some of his supporters, including the Electronic Frontier Foundation (EFF), said Gwin erred in arguing that software is indistinguishable from hardware.

"Judge Gwin looked carefully at the Bernstein case and rejected the idea that software is a form of speech protected by the First Amendment because he considers software and hardware as something operational," said Shari Steele, an attorney for the EFF.

Gwin's ruling rejected an opinion handed down by the Federal District Court Judge Marilyn Patel in San Francisco last year when she ruled in Bernstein vs. Department of State that the encryption regulations of the U.S. government violate the First Amendment. That ruling is currently being appealed by the U.S. government and a decision by the 9th Circuit of Appeals here is expected anytime.

"...[T]he court in Bernstein misunderstood the significance of source code's functionality," Gwin wrote. "Source code is "purely functional" a way that the Bernstein Court's examples of instructions, manuals, and recipes are not. Unlike instructions, a manual, or a recipe, source code actually performs the function it describes. While a recipe provides instructions to a cook, source code is a device, like embedded circuitry in a telephone, that actually does the function of encryption."

In the Bernstein case, University of Illinois Professor Daniel Bernstein contends that software he wrote, just like text in books or newspapers, is a form of speech and thus protected under the First Amendment. Patel agreed with Bernstein, ruling that the encryption regulations violate the First Amendment, as the need to obtain an export license constitute a prior restraint on the freedom of speech.

Junger and Steele both pointed out today that ultimately the U.S. Supreme Court will decide the issue. The outcome partly depends on whether the government will be able to argue that code written in a book is different from the same code stored on a floppy disk, or on a Web site.

Current export regulations, which were initially part of the International Traffic in Arms Regulations (ITAR) administered by the Department of State and now contained in the Export Administration Regulations (EAR) administered by the Department of Commerce, currently permit the export of encryption software in books and other "hard copy," but still requires an export license before publishing the same software in any electronic form or media, including on the Internet.

"I don't see how there can be a distinction [between a book and a floppy] for constitutional purposes," Junger said.

While it is too early to tell how Junger's legal arguments will be structured when he appeals the case to the 6th Circuit Court of Appeals -- a court considered conservative by Junger and the EFF -- it will likely focus on the differences between the Gwin and Patel opinions, Junger said.

The Department of Commerce did not immediately return phone calls seeking comment.

--Torsten Busse, IDG News Service


Euro commission plays down opinion on privacy standards

Brussels (July 2, 1998) -- European observers are voicing their criticism of the U.S.-developed data privacy standards P3P and OPS in time to ensure that the region's opinions are reflected in the final drafts of these standards, according to a senior European Commission official.

"This should be seen as a warning of what our needs are, but it is only a preliminary view which requires further study," said Ulf Bruehann, who monitors the issue for the Commission.

The European Union's advisory committee on the protection of individuals' personal data last month issued a two-page opinion expressing serious concerns about the compatibility of the two standards -- the Platform for Privacy Preferences (P3P) and the Open Profiling Standard (OPS) -- with the EU's data protection directive, which takes effect in October. The standards, developed at the request of the World Wide Web Consortium (W3C), are designed to provide for secure transmission of a standard personal data file and to be applicable worldwide.

The committee's opinions are not binding. In addition, Bruehann said, "the opinion does not represent the Commission's position."

Nevertheless, it could lead to changes in the draft standards. According to Bruehann, the W3C already has indicated that it has no problem incorporating European concerns, which generally focus on the need to increase the level of protection available though the standards.

The committee's criticisms reflect a wider transatlantic disagreement over the types of rules necessary to ensure a high level of data protection. Although bilateral discussions have intensified recently between Brussels and Washington to resolve these differences in time for implementation of the EU directive, considerable progress is needed to bridge the gap between the two sides. While the EU believes that legislation is required, the U.S. favors a voluntary approach, although it is trying to adapt this approach to some of the EU's concerns, especially regarding complaint procedures for consumers.

The committee's opinion criticizes the standards for failing to adopt the highest known levels of data protection and privacy. But the committee says that the use of the standards "risks shifting the onus primarily onto the individual user to protect himself, a development which would undermine the internationally established principle that it is the 'data controller' who is responsible for complying with data protection principles."

An additional risk, according to the group, is that once the P3P standard is "implemented in the next generation of browsing software, (this implementation) could mislead EU-based operators into believing that they can be discharged of certain of their legal obligations" under the EU data privacy directive, notably regarding the requirement to grant individual users a right of access to their data.

A third area of concern involves protection for users based in the EU connecting with Web sites established in non-EU countries that may not respect the European data privacy directive. As currently drafted, P3P does not provide any information about Web site compliance regarding remedies for consumers. The opinion suggests that changes in P3P could be made to address online consent for transfers of personal data from EU users.

The opinion also suggests that P3P and OPS be modified so that the default position for privacy preferences reflects a user's need "to enjoy a high level of privacy protection including the ability to browse websites anonymously."

Where a Web site operator requests a profile of user data as a condition for access to the site, the user should be asked each time for his consent for the provision of this information, according to the opinion.

"The major browsing software manufacturers have a responsibility to implement P3P and OPS in a manner that enhances rather than reduces levels of privacy protection," the opinion said.

--Elizabeth de Bony, IDG News Service

Electronic check pilot launched in U.S.

Boston (June 30. 1998) -- A group of U.S. banks, IT vendors, and the U.S. Department of Treasury today announced that they have started a pilot test of a business-to-business payment system, using an electronic check.

The first use of an electronic check -- or echeck, designed to replace paper checks and be sent via e-mail -- was a payment made by the Treasury's Financial Management Service to GTE Internetworking as part of a government contract.

Details about other trials of echecks outside of the U.S. were not available from participants in a conference call about the pilot today, beyond brief mention of an upcoming trial of the echeck system in Asia. They also said Singapore is planning to evaluate how to do a pilot project using the technology.

A key benefit of echecks is that they use the existing banking and business infrastructure and payment practices, said Frank Jaffe, vice president of the Financial Services Technology Consortium (FSTC), a non-profit group whose stated goal is to enhance the competitiveness of the U.S. financial services industry. Furthermore, the control of the transaction remains in the hands of the payer and payee, rather than necessitating the involvement of a third party.

The year-long trial of the echeck system is expected to involve about 50 government contractors, and be rolled out for full production use by 2000, according to a statement released by the parties involved. Payments will be made from two U.S. Department of Defense financial centers.

Echecks are signed by the payer using a digital signature, applied using a combination of smartcards and digital public key certificates.

In the current pilot, involving government contractors, recipients of the e-mailed payment can view the echeck and an attached Advice of Payment document. After verifying the Treasury's digital signature, the contractors will endorse the echeck for deposit and e-mail it to their bank, according to the FSTC statement. The bank will receive the deposit, verify both parties' signatures, and enter the echeck into the existing clearing and settlement system. The FSTC estimated that the process will take about two days to complete, compared to about a week for manual paper processes, and claimed that the technology could reduce processing time to a matter of hours.

The echeck payment system is ultimately aimed at small to mid-sized businesses, according to Steve Schutze, senior vice president of Nationsbank, which aims to start developing a commercially available banking product in the middle of next year, after the 12-month pilot runs its course. However, the timing also depends on the server products being available from IBM and Sun, and payment software from RDM being ready for commercial use, he said.

Besides BankBoston and NationsBank, which are providing electronic checking services to their customers using existing accounts, companies involved in the pilot include the following:

One analyst noted that the echeck scheme appears to buck the trend towards business-to-business payments using P-cards, or procurement cards. This credit-card like system is still a "nascent phenomenon," said Vernon Keenan, senior analyst at Zona Research Inc. in Redwood City, CA. "If echeck is properly marketed, it has a chance."

--Elizabeth Heichler, IDG News Service


What did you think of this article?
-Very worth reading
-Worth reading
-Not worth reading
-Too long
-Just right
-Too short
-Too technical
-Just right
-Not technical enough

[Table of Contents]
Sun's Site
[Next story]
Sun's Site

[(c) Copyright  Web Publishing Inc., and IDG Communication company]

If you have technical problems with this magazine, contact

Last modified: