Privacy Broker: Likely Internet Role for Banks?

Bankers' payment-systems supremacy is facing yet another challenge, but this is one the industry may be uniquely qualified to take on.

Though the threat has a familiar ring-more disintermediation as commerce goes electronic-the logical response plays to two of banking's strengths: trust and security.

Bankers are beginning to grasp the possibilities of transferring and adapting those valuable assets to the Internet. They are even being egged on by technology experts who have ventured deep into cyberspace and found it lacking exactly what bankers are in a position to offer.

The job of trusted third party or certifying agent or privacy broker, as it is variously called, seems theirs for the taking. As guardians of on- line trust, they would manage the electronic credentials that assure that buyers and sellers are who they say they are-and would get paid for it.

If only it were that simple.

Electronic commerce is developing according to rules, and with a set of technology requirements, that do not directly translate from the physical world. The trust and stability evoked by banks' offices, vaults, and, more intangibly, their brand names and risk management reputations require some degree of retooling.

Experts inside and outside the banking industry agree that at the operational core of on-line trust are the techniques of digital certification. It is the closest thing to signature verification that virtual-world technologists have come up with. In theory, when fully developed and appropriately deployed, this derivative of data encryption technology, binding intricate mathematical codes to a consumer's or company's identity, could be even more reliable and secure than written signatures.

That very theory is what the MasterCard and Visa networks are supposed to be proving with SET, the Secure Electronic Transaction protocol, which requires digital certificates for banks, merchants, and cardholders. A purchaser would use the digital code, rather than a card number, to initiate a transaction; the certificate would represent authentication by a bank or other certificate authority.

SET has gained some acceptance overseas but almost none in the United States, therefore contributing little to the mainstreaming of digital certification.

The concept has, however, attained some level of business-world consciousness through initial public offerings this year by two specialists in the field, Verisign Inc. and Entrust Technologies Inc. These companies and others stand ready to give banks the software or outsourcing support they need to authenticate people doing business facelessly on the World Wide Web.

Last month, working with the Zions Bancorp. affiliate Digital Signature Trust Co. of Salt Lake City, the American Bankers Association launched ABAecom, which hopes to take responsibility for the certification hierarchy for the entire financial services industry. It starts with a root key and cascades down to user certificates and digitally signed transactions.

The banker involvement is a sign that "e-commerce is starting to grow up," said Michael Cation, president of GlobeSet Inc., an Austin, Tex., software company active in SET and digital certificates. "Financial institutions are becoming more forceful," he said.

To wit, Bankers Trust Corp. and Chase Manhattan Corp. recently contributed to a second round of financing for GlobeSet. Vice chairmen George Vojta of Bankers Trust and Joseph Sponholz of Chase took seats on its board.

"I think 1999 will be the year of PKI (public key encryption infrastructure) in the financial services industry," said Scott Lowry, president of Digital Signature Trust.

But this is complicated business. Operationally, bankers have to learn an art and science that historically had more to do with military command and communications than with buying and selling.

To make a business out of it, they have to find a way to make money. And the uncertainties get wrapped up in "who controls the payment system?" and "are banks about to lose another of their bastions?"

"Some banks are very sophisticated in this area, putting a lot of resources into developing and understanding the business opportunities," said Elliott McEntee, president of the National Automated Clearing House Association, which sponsored a digital certificate test involving BankAmerica Corp., Citicorp, Mellon Bank Corp., and Zions Bancorp.

"Others don't see the product being used on a widespread basis for three, five, or seven years," he said. "They don't see a business case."

They see no compelling need to rush into activities that are in a state of developmental flux with no apparent revenue stream. But if, as research says, perceived insecurity is inhibiting electronic commerce, who better than bankers to fill the breach?

"This happens to be a remarkably mature technology," Frank Jaffe, applied technology consultant with BankBoston Corp., said of the PKIs- public key infrastructures-that underlie digital certificate operations.

"But the application of the technology, from a business perspective, is very immature," he said. "We will see serious changes in the business model as this goes forward."

Bankers have let too many of their dominant businesses slip away-large- corporate lending, credit card processing, mortgage servicing-not to be at least a bit uneasy that the pattern will repeat itself in Internet payments and security.

"No one knows if it is going to be successful," Mr. McEntee said. "But if it is, banks had better be in there, and in a big way."

Insurance, securities, and telecommunications companies and accounting firms may have their eye on certificate authority roles.

"The market will insist on privacy brokers," said Mitchell Grooms, co- founder of Secured Information Technology Inc., a year-old company crusading for what it considers a bank-centric trust model for the digital economy.

"Either the banks will create (the business), or somebody else will," he said. "It is what banks do, and they do it well."

Mr. Grooms' Los Angeles-based company, SITI, is one of a new breed with some new ideas for building business cases around the public key and certificate authority, or CA, infrastructures that some banks find uninviting or daunting.

Aside from a "strategic vision" of the way on-line transactions will evolve, SITI enters the fray with patents on elliptic curve cryptography and a budding relationship with the transaction processing giant First Data Corp. (See related article on page 19.)

SITI is not alone in championing elliptic curve, a method of data scrambling that, because of some inherent efficiencies, could pose a challenge to the algorithms associated with RSA Data Security Inc., the established leader in encryption technology. Elliptic curve has been more prominently associated with Certicom Corp. of Canada, which has licensed its system to companies that make compact and wireless devices and smart cards that cannot easily handle the long RSA encryption keys.

SITI claims some superiority over Certicom, and it will take time and the marketplace to render a verdict. But promoters of elliptic curve agree that it must come into play if digital certificates are ever to be stored in chip cards or "scale up" to customers and merchants numbering in the millions.

"A lot of people are rooting for (elliptic curve) because of the short keys," said Mr. Jaffe. But first it has to get through the stress testing by scientists and business developers that made the RSA methods as dependable as they are, and some standardization bodies still have to give their imprimatur.

"Elliptic curve has been around for years and has been tested quite thoroughly," said Henry Dreifus, an Orlando-based consultant. But in the formative market stages, "companies are not betting on just one technology. They are placing many bets. At some point somebody will blink and a given process will move ahead very fast. One could own the banking trade, or insurance, or telecommunications-that industry has been tweaking elliptic curve for some time."

There are other streamlining measures.

Assuming commerce goes global, with certificates and associated digital signatures that must be exchanged among different certificate authorities, some type of cross-certification will be required. Nacha began to get at that through interoperability testing with Entrust, Verisign, Digital Signature Trust, Certco LLC, and GTE Cybertrust Solutions.

"Issuing a certificate is easy," said John Ryan, president of Entrust, a Richardson, Tex.-based spinoff of Northern Telecom of Canada. "You can do millions an hour on a relatively inexpensive server. It is the management of the digital ID that is hard and has to be automated." That includes knowing when a certificate, like a credit card account, has expired or must be revoked.

Valicert Inc. says the customary maintenance of certificate revocation lists, or CRLs, is too unwieldy for large-scale, mass-market operations. The Mountain View, Calif., company's alternative certificate validation system addresses that problem.

Diversinet Corp., another product of Canada's PKI ferment that, like Certicom, has set up shop in Silicon Valley, sweeps the revocation problem aside. It proposes issuing to an individual a single certificate for multiple uses. Authorizations or permissions are attached to that certificate for defined or limited purposes. Processing efficiencies are gained through not needing a CRL and by limiting the personal information attached to the certificate.

"It is just like going to an automated teller machine," said Diversinet president Nagy Moustafa. "If the transaction is on-line, you validate it on-line and don't need the overhead of a CRL."

That type of thinking has led to more radical suggestions-a different type of certificate or a revised approach to the infrastructure.

Mr. Lowry of Digital Signature Trust said "thin or anonymous certificates" could find a niche, perhaps as an alternative to the slow- moving SET. The certificate is reduced to a number for transmission over the Internet, which provides a pointer to client information in a data base.

Lynn and Anne Wheeler, a husband-and-wife team of computer scientists, have shaken up the certificate authority establishment with their proposal for AADS, Account Authority Digital Signatures.

Veterans of "skunkworks" research and development at International Business Machines Corp., the Wheelers work in advanced technology development at First Data Corp. and spend a portion of their time on the road stumping for AADS and debunking the traditional CA-driven digital signatures-at least as they apply to on-line commerce.

The certificate authority model, they maintain, was developed for off- line authentication of parties who may not know each other. For on-line dealings where a relationship is already established, they propose simplifying certificates by integrating them in financial account records.

The simplification lends itself to large-scale deployment, possibly aided by elliptic curve cryptography. The Wheelers warn bankers and others against getting a false sense of satisfaction from limited pilots based on old technology.

"If you are doing a small pilot for 1,000 customers, the costs are in tens of thousands of dollars, and it doesn't pay to modify legacy systems," Mr. Wheeler said in a recent interview. "Once you get into significant production"-he said that could be 5% or more of a multimillion-customer account base-"it becomes less expensive to modify the structure for all accounts than to maintain a parallel system" for digital signatures.

The Wheelers buttress their arguments with concerns about security and privacy when certificates carry a lot of personal information over the Internet, and they emphasize a business case, including compatibility with legacy systems and conventional payment processes.

They get a lot of philosophical agreement on the latter point.

Mr. Cation said it is an article of faith for his company, GlobeSet, that all products provide "secure access to the existing infrastructure of the financial institution." Banks essentially own "the four-corner transactional model" of customer and merchant, paying bank and receiving bank, which they can carry over to e-commerce.

"The right business model to use is the banking industry's, not the military's," Mr. Cation said.

William Crowell was steeped in hierarchical CAs when he was deputy director of the National Security Agency. Now vice president of Cylink Corp., an information security vendor in Sunnyvale, Calif., he said there will be limits to certificate authority scalability, and in many business settings "I will generally prefer to get certificates for special purposes."

In government settings, "there was always a final authority, a clear hierarchy," said Nicholas DiGiacomo, who recently left Science Applications International Corp. to join the Internet business consulting firm Scient Corp. of San Francisco. "A distributed model" is needed for business, but technologists came out of the military "doing what they knew how to do."

He said businesses will be reluctant to cede trust functions to third parties and will come to exchange assurances and manage risk much as they do with letters of credit.

"Maybe you and I would want to use something like SET for a few transactions," said Mr. Dreifus. But once the relationship is established, "we would not need a Visa or the post office" as CA, and exchanges would be much cheaper.

"Banks like the account authority structure, they identify with it immediately," said Mrs. Wheeler. "It is a bank-centric approach to electronic commerce. They recognize it when they see it."

"We don't say there is no purpose in certificates," Mr. Wheeler added. "But a lot of purposes are better served with an account-based infrastructure."

Like any scientific paradigm, the Wheelers' AADS is controversial and struggling to break out. Mr. Lowry pointed out that AADS "has not been embraced by the broader CA community" and even First Data Corp. is exploring multiple options.

Yet AADS has gained the status of a proposed industry standard, X9.59, and has gotten heard by the Bankers Roundtable's Banking Industry Technology Secretariat, Global Concepts Inc.'s Internet Forum, and various panels of cryptography experts.

"The Wheelers are basically saying you can get the benefits of digital signatures without all this infrastructure," said David Stewart, vice president of Atlanta-based Global Concepts. "Maybe these mega-CAs are not necessary. Maybe people should be thinking inside the box before they go outside."

He wrote a paper calling AADS "a brilliantly simple solution with potentially far-reaching implications for the payments system as a whole."

Meanwhile, the established technology is taking root, particularly for internal corporate and business-to-business needs, where it could catch on faster than consumer e-commerce and eventually spill over. Mr. Ryan of Entrust claimed he can deliver whatever speed, simplicity, and security the critics are calling for. One of his clients, Bank of Nova Scotia, has "scaled up" to 100,000 certificates and 50,000 active users, he said.

"These will coexist for a while," said Mr. Dreifus. "This is still a pre-industry in terms of consumer-level, everyday encryption. Nobody has figured out how to manage this big-number problem of keys and certificates and the controls needed to protect the entire infrastructure."

"People say the banks are slow, but they have to go through a certain due diligence," said Mr. Stewart. "What the Wheelers have done is, at the least, a good gut check."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER