|
| Encrypted
Messages: Uncertainty surrounds the treatment of private communications |
|
| Investing
and carrying on business through an offshore jurisdiction can offer many
advantages to international investors and business people based in the
United States. Privacy is one of the most important benefits sought
from the offshore finance industry, and the ability to ensure private communications
is essential. |
|
| In
recent years, the Internet has become the largest public data communications
network in the world. According to the information service openmarket.com,
the estimated number of Internet users worldwide, at the end of 1998 was
over 147 million. It was also estimated that 52 percent of these
users live in the United States. |
|
| The
same index reports that the number of commercial e-mail communications
sent each day in the United States approaches 7.3 billion messages.
Given the reliance of that many people on Internet communications,
particularly when contacting offshore service providers, issues surrounding
the privacy of communications quickly come to the fore. |
|
|
|
|
|
|
| Need
for security |
|
| As
all e-mail travels from one computer to the next via the World Wide Web,
there is a need to secure the content of what is being sent as it travels
over the Web. One way of overcoming this challenge involves encryption
of the information being sent. |
|
| Encryption
is a process of coding e-mail in such a way that even if intercepted, a
third party will have no way of understanding the contents of a particular
e-mail message. Data can only be decrypted by using a "key" which
reverts the data from its encrypted form back to a plain text form.
The availability and use of encryption is at the heart of the privacy and
security issue faced by e-mail users. |
|
| Robert Bandfield,
of the International Privacy Corporation based in Oregon, realizes the
potential benefits of Internet communications, but at the same time finds
that the whole system is "very insecure". Bandfield expects that
firms offering secure e-mail services will take their services to another
level in order to satisfy the demand for privacy in the offshore industry.
"We can get on-line banking, but our problem still is privacy," he says. |
|
|
|
| Marcel Knecht,
of Credit Suisse (Bahamas) Ltd. based in Nassau, says that the level of
security provided by Internet providers is "always an issue, because privacy
is something we have to respect". At this point, Knecht says that
he does not use the Internet for much of his clients’ banking needs.
In fact, online private banking in the Caribbean offshore centers may still
be the domain of pioneers. "As younger people are attracted
to offshore financial services, Internet use will become more important
to us because these clients will be much more versed in Internet use,"
says Knecht. |
|
| When asked
about the levels of security concerning communications of his clients,
Andre White, of Alliance Investment Management in the Bahamas, stated that
his clients should perhaps be a little more concerned about the privacy
of their Internet transactions. "Many clients are naive about the
different types of technology available," he said White pointed out
that the foundation of private wealth management has always been personal
service. "We have to figure out how best to use the technology so
that it does not infringe on our client relationship. We like the
personal contact of having a voice on the other end of the line," he said.
At the same time, however, White acknowledges that privacy in Internet
communications is an important issue that cannot be ignored. |
|
| Legislative
environment |
|
| In the United
States, draft legislation has been prepared to address the use of encryption
techniques in Internet communications. On February 25th 1999, a bill
was put before the House of Representatives to amend Title 18, United States
Code, to affirm the rights of individuals to use and sell encryption software
in the US. This bill, called the Security and Freedom through Encryption
(SAFE) Act, was approved by the House Commerce Committee on June 23rd,
allowing the bill to continue through the House. |
|
|
|
|
|
|
| The SAFE Act
would not only allow individuals in the United States to use and sell any
form of encryption, it would also prohibit individual states and the federal
government from requiring individuals to relinquish the key to the encryption
technology to any third party. The only circumstance under which
the use of encryption technology would be prohibited is where it is used
for the furtherance of criminal activity. The bill states that: |
|
| Any person
who, in the commission of a felony under a criminal statute of the United
States, knowingly and willfully encrypts incriminating communications or
information relating to that felony with the intent to conceal such communications
or information for the purpose of avoiding detection by law enforcement
agencies or prosecution," shall face criminal penalties, including imprisonment
and/or fines. This bill is currently one of the most contentious
pieces of legislation before the House of Representatives. |
|
| Phil Reitinger,
of the US Department of Justice, explained that at present "there are no
domestic regulations in the US governing the use by private individuals
of any form of encryption." Reitinger also noted that "US authorities
are currently able to subpoena the production of plain text or readable
information, even though the information has been encrypted, and to subpoena
the production of decryption keys." |
|
|
|
| However, Reitinger
also pointed out that "because the Fifth Amendment to the US Constitution
imposes limits on the government's ability to require individuals to assist
investigations against themselves, the scope of the prohibition as applied
to decryption keys has not been definitively decided." He added that
this uncertainty "can be a real problem for law enforcement, because it
needs plain text evidence to prove criminal cases. Law enforcement
supports the use of strong encryption by legitimate entities such as banks
to protect the security of sensitive information, but the use of strong
encryption by criminals will greatly impair our ability to protect public
safety." |
|
| Gretchen Michael,
also of the US Department of Justice, echoes Reitinger's sentiments, stating
that "for the most part, the possession of encryption technology and encrypted
data is treated in the same manner as other property and information in
the US; search warrants must be obtained by law enforcement to seize data
if there is a reasonable expectation of privacy in that data." |
|
| E-mail
options |
|
| Sending messages
over the Internet via a major e-mail provider has been compared to sending
a post card; anyone can access the details of not only what the user is
sending but also from where the message originated and to where it is being
sent. A third party can gain access to e-mail messages simply by
tapping into the e-mail provider’s main computer, as privacy at this point
is minimal. |
|
|
|
| Even the personal
information which users are required to give when they sign on as a user
to an e-mail provider such as MSN Hotmail is not always secure. Privacy
in e-mail communications can generally be attained in one of two ways;
either by purchasing encryption software or by signing up with an Internet
provider that offers encryption capabilities. |
|
| In the first
case, the encrypted messages and information usually remains on the computer
of the user at the user’s place of business. Information is encrypted
on an individual’s computer and then sent to the individual’s regular e-mail
server. The data is then stored on that server until it is sent on
to the individual for whom it is intended. |
|
| In the second
case, the encrypted messages and information will be stored at a remote
location on the server of the Internet provider. There are several
Internet support providers which promote the privacy aspect of their services.
These providers use sophisticated, military-type encryption techniques
to provide security to Internet transmissions. Given the recent legislation
concerning encryption, it is important to distinguish between the different
providers in order to appreciate the levels of security being offered. |
|
| Where the
user decides to encrypt e-mail communications through an Internet provider,
consideration must be given to where the server is located. There
are generally three possibilities: |
|
i)
both the operations of the Internet provider and the server will be located
in the US;
ii) the operations
of the Internet provider will be carried on in the US with the server being
located in another jurisdiction; or
iii) both
the operations of the Internet provider and the server will be located
in a jurisdiction outside the US. |
|
| Server and
operations in the US: Where the operations and the server of the
Internet provider are both located in the US, the degree of privacy available
to the user is largely dependent on the corporate policies of the provider.
Most of these Internet providers, however, are not primarily focused on
the preservation of privacy. As such, they offer limited security
and are not very well suited to conducting private transactions in the
world of offshore finance. |
|
| Operations
only in the US: Where the operations and the Internet provider are
located in the US, with the server located in another jurisdiction, there
is a level of security by the mere fact that the laws of another country
must be dealt with in order to access the encrypted data. |
|
| Hush Communications
USA, for example, is based in Texas with its server located in Vancouver,
Canada. It offers a web-based e-mail system called Hushmail which
is used in the same way as Yahoo!Mail and MSN HotMail. The Hushmail
system uses a mini-program which is downloaded to a user’s computer and
performs encryption on the fly. This process is then reversed at
the other end when the message is decrypted on the computer to which the
message is being sent. Jon Gilliam at Hushmail, notes that the levels
of encryption that Hushmail can offer are such that "it would take 40 servers
40 years to crack the encryption on one single word". Gilliam says
that all Hushmail communications are stored on their servers and not by
the user’s particular Internet service provider. He also stated that
third party access to messages sent by Hushmail is not a great concern
due to the incredible levels of security provided by the encryption technology. |
|
| In regard
to investigations of encrypted communications, Gilliam says that Hushmail
would of course comply with requests from authorities for users’ transmissions
if required to do so, but those transmissions would be totally encrypted,
and completely unreadable by the courts. "Because only the sender
and the recipient of the data transmissions hold the key to the encryption,
which is itself encrypted, the data provided to the courts would be useless
information," he says. Given the current uncertainty regarding the
ability of authorities to access keys to encrypted information, Hushmail
offers a product well-suited to individuals doing business with offshore
financial service providers. |
|
| Server and
operations outside the US: Where both the operations of the Internet
provider and the server are located in a jurisdiction outside the US, and
preferably in an offshore finance jurisdiction, the user is able to take
advantage of the strong privacy and confidentiality features for which
the offshore industry has become known. |
|
| An example
of this offshore scenario is Private Messenger Inc. Both the operations
and the server of Private Messenger are located in the Bahamas. Due
to its location in the Bahamas, Private Messenger is bound by the strict
privacy and confidentiality laws of that jurisdiction. Messages sent
from a computer using the Private Messenger system go directly to the system
server which is located offshore, without being stored on any other server
along the way. Private Messenger has been tailored to the needs of
many clients and businesses involved in international finance. |
|
| The company
offers itself as a full-service provider enabling a user to communicate
with its clients in a safe, secure manner. Like Hushmail, Private
Messenger uses military-strength encryption which is widely considered
to be unbreakable. Private Messenger also uses numbered accounts
rather than named accounts which further the level of anonymity to all
but the user’s intended recipient. |
|
| Conclusion
Given the proliferation
of Internet use in all forms of international business communications,
many industry professionals realize the need for certain levels of security
and privacy. In light of the current status of legislation regarding
the treatment of encryption technology, it will be very important for individuals
to stay abreast of legislative developments concerning their rights to
use communications systems offering high levels of privacy and confidentiality. |
|
 |
|
|
