Scientific American, November, 1995 Doing Business on the Net By Anne Eisenberg Like the leaves of autumn, those resolutely noncommercial days on the Internet when ads were anathema are dwindling fast. Nowadays the Internet's World Wide Web has so much commercial promise that it has spun off an association called the HTML Writers' Guild (http: //www.mindspring.com). You can hire one of its members literate in Hypertext Mark-up Language (HTML is the language of the Web) to create dramatic "home pages," sites on the Web where a growing number of businesses advertise their wares. "We're there for the same reason we have banks in malls," one Citibank executive explained. "It's where people congregate." Web ads are quickly evolving into arresting combinations of sound, text and vivid, point-and-click picture links called image maps. Computer science students who were once stern critics of business on the Net now eye the ads appreciatively, so long as they are not "in your face" -- inserted where people have no choice but to look at them. Besides, commercials may one day pay for Net services, much as they now underwrite programs on radio and television. And the ads are convenient: click on the icon, read about the product and order, all in one step. Many companies arc poised to put not only advertisements but entire catalogues on the Web as routinely as they now list their services in me Yellow Pages. After all, if e-mail could hatch a generation of letter writers by eliminating the bother of envelopes and stamps, surely commerce should blossom when paper catalogues fall, and we all start buying straight from the screen. For business to thrive, though, people will need a secure way to pay and be paid on the leaky Net, where messages containing credit-card numbers can be intercepted as they travel from machine to machine. And all those prospective shoppers, entrepreneurs and micromerchants will want not only secure payment mechanisms but also a choice -- cash, check or charge -- before they hit the convenient, brightly colored order links. Inspired by a vision of untold millions buying and selling on the Net, companies and banks (among them Chase Manhattan, Citibank, CyberCash, DigiCash, Mondex and Microsoft) have joined what is being called the Gold Rush of 1995, as they race to become the Great Central Biller in the Sky. No victors have yet emerged, but early leaders are probably going to provide security in the form of public-key, (PK) cryptography, ingenious algorithms that use pairs of unique numerical "keys" for encoding and decoding messages. If you use PK software for an online shopping trip, you will have your own pair of keys, one public and one as private as the identification number you use to get cash from an automated teller machine. When you order, your program will automatically encrypt the information with your private key. When the company uses your public key to decode the order, it will know without question that the message was generated by you -- the match is the digital signature that authenticates the transaction. Companies in turn will encrypt messages to you with your public key; the messages will be secure, for only you can decrypt and read them, using your private key. Netscape and other new Web browsers -- software that lets you travel to linked Internet resources without typing complicated addresses -- are known as encrypting browsers; they are ready to help you shop securely on the Net. Some will even come with built-in PK signatures. Whether the cryptographically cloaked digits of e-money will bestow privacy in addition to security is another, far more contentious matter. When people start using e-wallets instead of cash to rent a video or lend a friend $20, fertile new areas for infringing on privacy will bloom. Electronic dossiers can be compiled by automated systems that track spending habits. Many people will not want the details of their daily lives collected and stored in, say, consumer preference data banks, joining the folders that already document their health and credit ratings. Only a few of the emerging electronic payment systems address privacy issues. The untraceable digital cash closest to hand is probably Chaumian cash, named in honor of David Chaum, founder of DigiCash and of the cryptographic protocols that underlie his anonymous digital-money technology. Chaum's patented e-cash is an adaptation of PK cryptography that includes one-way privacy for the payer. The bank can verify that the money is genuine but is blinded from identifying the source. This means you will be able to prove you have made a payment when you need to, but the bank cannot flick a switch to retrieve the records of your travel and entertainment preferences and add them to its data-mining operations. The terminology of electronic commerce reflects the clash of cultures that has come about as the youthful language of the Net meets the austere discourse of banking. The jaunty "e-" prefix has attached itself firmly to Nettish talk of the e-wallets and e-purses that we will soon be using to make our e-payments. But bankers resist this linguistic cheeriness. They substitute "digital" for "electronic" whenever possible and never shorten it to "d-" when they speak of the digital time stamps and digital signatures they will soon offer us to authenticate our digital payments. And cryptography (known affectionately as crypto on the Net) is still a four-syllable word at the bank, where it is against nature for managers to be linguistically fond of any action that commits them to untraceable communications and exchanges. We will know the new, hybrid field of electronic commerce is truly on its way when banking ads on the Web offer "strong crypto" and even, as a backup, steganography (the science of hiding the existence of messages in, say, microdots or sound files) for telephone chats with loan officers. On the Net, of course, this service is already known as stego. ----- Anne Eisenberg (aeisenb@duke.poly.edu) conducts her e-business at Polytechnic University in Brooklyn, N.Y.