Children's Online Privacy Protection Rule - - Comment, P994504 TO: Federal Trade Commission FROM: James Brandt
DATE: June 11, 1999 I. Introduction This comment responds to the FTC request for feedback regarding the above-referenced Proposed Rule and associated questions raised by the FTC, including those concerning commentary on Section 312.5(b) proposing various methods to obtain verifiable parental consent. Specifically, this comment responds to questions 13 (f) that asks to what extent digital signature technology is in use now, and whether there are obstacles to the general commercial availability or use of digital signature technology? Only public-key based cryptographic methods can provide adequate and scalable security for information communicated over open systems such as the Internet. With few exceptions, only asymmetric cryptography, such as that invoked by digital signatures, can provide strong support for nonrepudiation. Biometric technologies cannot themselves substitute for cryptographic methods in securing open, distributed systems, and PIN/password solutions are inherently weak as an authentication mechanism. Digital signature technology and supporting public key infrastructures (PKI) are commercially available to support the authentication and privacy requirements that are mandated by this rule. As in any system that implements advanced technology, particularly one where security is important, there are practical policy and deployment issues to resolve. These deployment and policy issues are easily reconcilable within the current deployed technology base. As such, we encourage the FTC to continue to foster the use and deployment of PKIs and digital signatures as an acceptable, if not preferred, authentication and privacy mechanism.
Public Key Technology is mature and commercially available. Public key based algorithms and the supporting mathematical concepts have been studied internationally by the world’s leading mathematicians and cryptographers in academia, industry, and government for many years. For more than a decade, the Department of Defense has deployed hundreds of thousands of PKI-based applications to protect the Nation’s most guarded secrets. These applications have consumed millions of public/private key pairs issued and managed by centralized key and certificate management systems. Until recently, government agencies such as the DOD that had a need for robust information assurance technology had to build, operate, and maintain their own systems. This was, in part, due to the fact that commercial security technology was not readily available, and that the bulk of the information to be protected was classified and required extremely "high-end" implementations. This is no longer the case. Over the past several years, a commercial security industry has emerged to satisfy the commercial and government insatiable quest for e-business over the Internet. Even within the DOD, the predominate amount of data that requires protection is no longer classified. Nonetheless, the integrity, confidentiality, and accessibility of government-sensitive, business-proprietary, and personal-privacy information must be assured. In response to this growing and diverse customer base, the commercial security industry has responded with many high quality security applications based on established protocols and standards. For example, secure web browsing, using the secure sockets layer (SSL) protocol, is an integrated feature contained within nearly all off-the-shelf commercial Web browsers. Also, there are a dozen or more secure e-mail clients that are interoperable using the leading secure messaging protocol (S/MIME). All of these applications require digital certificates to enable their security services and a supporting PKI to issue and manage the certificates. PKI and digital certificates are recognized as the de facto standard for Internet security. PKI is unquestionably viewed as the predominant enabler for widespread secure electronic commerce and communications over the Internet. Aggressively deploying and using PKI-enabled applications, governments, banks and other financial services entities, universities, and many other sectors are using digital certificate based technology for secure e-mail, secure web access to databases, secure data submission via on-line forms, remote dial-up via secure virtual private networks, and many other applications. A Forrester Research report (February 1998) indicated that many Fortune 1,000 companies believe that within two years (1999-2000) they will be spending 40% of their security dollars for digital certificate and PKI deployments. The Giga Information Group, Inc. estimates there will be up to 450 large enterprise (corporate or trading network) PKI deployments in 1999. For example, the Automotive Network Exchange (ANX) recently announced their commitment to deploy PKI-based Virtual Private Network (VPN) technology throughout the major automotive manufacturers and their suppliers over the next year. Moreover, most of the large and mid-size banks, including Bank of America, First Union and Nations Bank are deploying PKI technology for their secure Intranet and Extranet applications. There are many, many more examples of major vertical industries and large corporations committing to PKI-based security solutions. Government too has accepted PKI technology as the de facto standard for network security. Dr. John Hamre, the Deputy Secretary of Defense, released a policy mandate that will require all DOD users (over 2 million persons) to have a digital certificate by October 2001. Initial fielding has already started. Within the civil government sector, many agencies including the Internal Revenue Service, Social Security Administration, and the Department of Veteran Affairs have started PKI evaluation pilot projects to understand how to best implement this technology. Moreover, the General Services Administration is in the process of awarding one or more contracts to commercial certification authorities to issue certificates to citizens for secure on-line access to government benefits-related information and services. The Government Paperwork Elimination Act (GPEA), Title XVII of Public Law 105-277, provides for Federal Agencies to give persons who maintain, submit, or disclose information the option of doing so electronically. GPEA requires the use of electronic signature methods, including digital signatures, to verify the identity of the sender and integrity of the associated electronic content. There is no question regarding the overwhelming commitment to the acceptability and commitment of digital certificates and PKI. Commercial PKI product and service offerings are available today. The commercial PKI industry has responded to this accelerating demand with diverse products and services. VeriSign, for example, has made an extensive investment to establish a highly available, robust, global PKI that provides digital certificate services for Internet and Enterprise applications – the VeriSign Trust Network (VTN). In the Internet market, VeriSign has issued over 125,000 server certificates used by web servers for secure, authenticated browser-based communications via SSL. The deployment rate of server certificates is about 6,000 a month and increasing by about 25% quarterly. As to individual "client" certificates (similar to those that could be issued to children to confirm parental consent in satisfaction of the Children’s Online Protection Act), VeriSign has issued nearly 3,000,000 to exchange secure mail, securely access web pages, submit data via secure forms, commute over the Internet to a corporate network, and many other applications. VeriSign’s extensive experience in operating and managing its global "public" VTN is directly applicable to successful delivery and maintainability of a "consumer friendly" PKI. As indicated above, PKI deployments are advancing within most Fortune 1,000 companies. Some of VeriSign’s most recognized customers include the Bank of America, Diner's Club, Dow Jones, Federal Reserve Bank of NY, NationsBank, Novus/Discover, Royal Bank of Canada, VISA, Hewlett-Packard, Softbank, Ameritech, AT&T, British Telecommunications (BT), First Union, Morgan Stanley Dean Witter, and Texas Instruments. VeriSign alone has over 400 enterprise customers in government and industry that have either deployed or are in the process of deploying PKI within their corporate environment. See http://www.verisign.com/enterprise/quotes/customer.html for some examples of how VeriSign customers are deploying PKI-based solutions today. PKI is admittedly a large system issue, and requires more than just a piece of software that churns out certificates. Yes, certificate issuance and management is extremely important, but the way the PKI supports and responds to diverse user needs and environments is also important. Since all verification tools and methodologies have risks and security sensitivities, the trustworthiness of the policies, practices, people, and facilities that collectively comprise the operational PKI is also important. See http://www.verisign.com/whitepaper/enterprise/difference/index.html for an analysis of the critical factors associated with successful PKI deployments. Moreover, the legal and business framework within which a PKI operates, apportionment of obligations and responsibilities, and ultimately liability, must also be well constructed. The PKI industry has responded to these concerns by establishing a Certification Practices Statement (CPS) framework for addressing these issues. VeriSign, a pioneer in the establishment of the CPS framework, has established and published its CPS at http://www.verisign.com/repository/index.html. It provides a model of how to address these complex issues, which is particularly important in the context of citizens (particularly children) as consumers of the PKI. The PKI industry is positioned to support the Children’s Online Privacy Protection Act. There are no fundamental obstacles for including, if not preferring, PKI as an acceptable mechanism to support the security services required by this Act. Web servers used to collect and solicit personal information for any consumer, let alone a child, should install a Server Certificate to provide strong evidence of the authenticated domain name used by that server/merchant, and to provide a strong cryptographic link between the consumer’s web browser and the server to protect the privacy of information when using the Internet. To assist consumers to more readily identify and differentiate the policies undertaken by a particular web site, a site seal program such as that provided by the TRUSTe (http://www.truste.org/users/assurance.html) program is appropriate. On the client side, certificates may also be used to provide authenticated parental consent. VeriSign has identified a number of viable scenarios to provide certificates for this purpose. These certificates although unique, could in fact be anonymous in identity content to protect the privacy of each child. Moreover, the parent or guardian can easily be involved in the certificate approval process and parents can select the privacy policies for which their permission is conditioned. The certificate then becomes a permission "key" that will only permit access to certain sites that conform to the "locks" characterized by the particular policy represented. The important point is that there are numerous scenarios, all of which are achievable with a low level of effort, that are both scalable and affordable. III. Summary These comments are not intended to provide a definitive architecture or approach. Rather, they represent approaches that will satisfy the mandate of the Act in a scalable, inexpensive and practical manner. PKI technology is an appropriate solution to provide the security services required by this Act. VeriSign would be pleased to participate in additional fora to more fully explore these concepts and solutions. We appreciate the opportunity to comment and applaud the FTC in their pro-active approach to use the best of America’s technology to protect the rights and innocence of its most precious citizens – our kids. |