< Magazine Index > < Index For This Edition > < Subscribe >

In recent years, the Internet has become the largest public data communications network in the world.  According to the information service openmarket.com, the estimated number of Internet users worldwide, at the end of 1998 was over 147 million.  It was also estimated that 52 percent of these users live in the United States. 

The same index reports that the number of commercial e-mail communications sent each day in the United States approaches 7.3 billion messages.  Given the reliance of  that many people on Internet communications, particularly when contacting offshore service providers, issues surrounding the privacy of communications quickly come to the fore.

Need for security

As all e-mail travels from one computer to the next via the World Wide Web, there is a need to secure the content of what is being sent as it travels over the Web.  One way of overcoming this challenge involves encryption of the information being sent. 

Encryption is a process of coding e-mail in such a way that even if intercepted, a third party will have no way of understanding the contents of a particular e-mail message.  Data can only be decrypted by using a "key" which reverts the data from its encrypted form back to a plain text form.  The availability and use of encryption is at the heart of the privacy and security issue faced by e-mail users.

Robert Bandfield, of the International Privacy Corporation based in Oregon, realizes the potential benefits of Internet communications, but at the same time finds that the whole system is "very insecure".  Bandfield expects that firms offering secure e-mail services will take their services to another level in order to satisfy the demand for privacy in the offshore industry.  "We can get on-line banking, but our problem still is privacy," he says.

Marcel Knecht, of Credit Suisse (Bahamas) Ltd. based in Nassau, says that the level of security provided by Internet providers is "always an issue, because privacy is something we have to respect".  At this point, Knecht says that he does not use the Internet for much of his clients’ banking needs.  In fact, online private banking in the Caribbean offshore centers may still be the domain of pioneers.   "As younger people are attracted to offshore financial services, Internet use will become more important to us because these clients will be much more versed in Internet use," says Knecht.

When asked about the levels of security concerning communications of his clients, Andre White, of Alliance Investment Management in the Bahamas, stated that his clients should perhaps be a little more concerned about the privacy of their Internet transactions.  "Many clients are naive about the different types of technology available," he said  White pointed out that the foundation of private wealth management has always been personal service.  "We have to figure out how best to use the technology so that it does not infringe on our client relationship.  We like the personal contact of having a voice on the other end of the line," he said.  At the same time, however, White acknowledges that privacy in Internet communications is an important issue that cannot be ignored.

Legislative environment

In the United States, draft legislation has been prepared to address the use of encryption techniques in Internet communications.  On February 25th 1999, a bill was put before the House of Representatives to amend Title 18, United States Code, to affirm the rights of individuals to use and sell encryption software in the US.  This bill, called the Security and Freedom through Encryption (SAFE) Act, was approved by the House Commerce Committee on June 23rd, allowing the bill to continue through the House.

The SAFE Act would not only allow individuals in the United States to use and sell any form of encryption, it would also prohibit individual states and the federal government from requiring individuals to relinquish the key to the encryption technology to any third party.  The only circumstance under which the use of encryption technology would be prohibited is where it is used for the furtherance of criminal activity.  The bill states that:

"Any person who, in the commission of a felony under a criminal statute of the United States, knowingly and willfully encrypts incriminating communications or information relating to that felony with the intent to conceal such communications or information for the purpose of avoiding detection by law enforcement agencies or prosecution,"

shall face criminal penalties, including imprisonment and/or fines.  This bill is currently one of the most contentious pieces of legislation before the House of Representatives.

Phil Reitinger, of the US Department of Justice, explained that at present "there are no domestic regulations in the US governing the use by private individuals of any form of encryption."  Reitinger also noted that "US authorities are currently able to subpoena the production of plain text or readable information, even though the information has been encrypted, and to subpoena the production of decryption keys."

However, Reitinger also pointed out that "because the Fifth Amendment to the US Constitution imposes limits on the government's ability to require individuals to assist investigations against themselves, the scope of the prohibition as applied to decryption keys has not been definitively decided."  He added that this uncertainty "can be a real problem for law enforcement, because it needs plain text evidence to prove criminal cases.  Law enforcement supports the use of strong encryption by legitimate entities such as banks to protect the security of sensitive information, but the use of strong encryption by criminals will greatly impair our ability to protect public safety."

Gretchen Michael, also of the US Department of Justice, echoes Reitinger's sentiments, stating that "for the most part, the possession of encryption technology and encrypted data is treated in the same manner as other property and information in the US; search warrants must be obtained by law enforcement to seize data if there is a reasonable expectation of privacy in that data."

E-mail options

Sending messages over the Internet via a major e-mail provider has been compared to sending a post card; anyone can access the details of not only what the user is sending but also from where the message originated and to where it is being sent.  A third party can gain access to e-mail messages simply by tapping into the e-mail provider’s main computer, as privacy at this point is minimal.  Even the personal information which users are required to give when they sign on as a user to an e-mail provider such as MSN Hotmail is not always secure.  Privacy in e-mail communications can generally be attained in one of two ways; either by purchasing encryption software or by signing up with an Internet provider that offers encryption capabilities. 

In the first case, the encrypted messages and information usually remains on the computer of the user at the user’s place of business.  Information is encrypted on an individual’s computer and then sent to the individual’s regular e-mail server.  The data is then stored on that server until it is sent on to the individual for whom it is intended. 

In the second case, the encrypted messages and information will be stored at a remote location on the server of the Internet provider.  There are several Internet support providers which promote the privacy aspect of their services.  These providers use sophisticated, military-type encryption techniques to provide security to Internet transmissions.  Given the recent legislation concerning encryption, it is important to distinguish between the different providers in order to appreciate the levels of security being offered.
Where the user decides to encrypt e-mail communications through an Internet provider, consideration must be given to where the server is located.  There are generally three possibilities:

i) both the operations of the Internet provider and the server will be located in the US;
ii) the operations of the Internet provider will be carried on in the US with the server being located in another jurisdiction; or
iii) both the operations of the Internet provider and the server will be located in a jurisdiction outside the US.

Server and operations in the US:  Where the operations and the server of the Internet provider are both located in the US, the degree of privacy available to the user is largely dependent on the corporate policies of the provider.  Most of these Internet providers, however, are not primarily focused on the preservation of privacy.  As such, they offer limited security and are not very well suited to conducting private transactions in the world of offshore finance.

Operations only in the US:  Where the operations and the Internet provider are located in the US, with the server located in another jurisdiction, there is a level of security by the mere fact that the laws of another country must be dealt with in order to access the encrypted data.

Hush Communications USA, for example, is based in Texas with its server located in Vancouver, Canada.  It offers a web-based e-mail system called Hushmail which is used in the same way as Yahoo!Mail and MSN HotMail.  The Hushmail system uses a mini-program which is downloaded to a user’s computer and performs encryption on the fly.  This process is then reversed at the other end when the message is decrypted on the computer to which the message is being sent.  Jon Gilliam at Hushmail, notes that the levels of encryption that Hushmail can offer are such that "it would take 40 servers 40 years to crack the encryption on one single word".  Gilliam says that all Hushmail communications are stored on their servers and not by the user’s particular Internet service provider.  He also stated that third party access to messages sent by Hushmail is not a great concern due to the incredible levels of security provided by the encryption technology. 

In regard to investigations of encrypted communications, Gilliam says that Hushmail would of course comply with requests from authorities for users’ transmissions if required to do so, but those transmissions would be totally encrypted, and completely unreadable by the courts.  "Because only the sender and the recipient of the data transmissions hold the key to the encryption, which is itself encrypted, the data provided to the courts would be useless information," he says.  Given the current uncertainty regarding the ability of authorities to access keys to encrypted information, Hushmail offers a product well-suited to individuals doing business with offshore financial service providers.

Server and operations outside the US:  Where both the operations of the Internet provider and the server are located in a jurisdiction outside the US, and preferably in an offshore finance jurisdiction, the user is able to take advantage of the strong privacy and confidentiality features for which the offshore industry has become known.

An example of this offshore scenario is Private Messenger Inc.  Both the operations and the server of Private Messenger are located in the Bahamas.  Due to its location in the Bahamas, Private Messenger is bound by the strict privacy and confidentiality laws of that jurisdiction.  Messages sent from a computer using the Private Messenger system go directly to the system server which is located offshore, without being stored on any other server along the way.  Private Messenger has been tailored to the needs of many clients and businesses involved in international finance.

The company offers itself as a full-service provider enabling a user to communicate with its clients in a safe, secure manner.  Like Hushmail, Private Messenger uses military-strength encryption which is widely considered to be unbreakable.  Private Messenger also uses numbered accounts rather than named accounts which further the level of anonymity to all but the user’s intended recipient.

Conclusion

Given the proliferation of Internet use in all forms of international business communications, many industry professionals realize the need for certain levels of security and privacy.  In light of the current status of legislation regarding the treatment of encryption technology, it will be very important for individuals to stay abreast of legislative developments concerning their rights to use communications systems offering high levels of privacy and confidentiality.
 

Jesse J. Henry is a reporter and staff researcher for Offshore Finance U.S.A. magazine. [Copyright 1999 O.F.C. Publications Inc. This article was published in the September/October 1999 issue of Offshore Finance U.S.A. magazine]