All I want for Christmas is some PKI – I think

IMAGINE a world where your Practising Certificate is abolished, and to be a solicitor you need to have a Smart Card, which can be used to electronically lock documents and prove you are who you claim you are. You think this couldn’t happen in Scotland?

It has already happened in other countries. It should happen here. It could happen here inside twelve months if people wanted it to. But ours is a profession that has a long-term love affair with pen and paper.

The purpose of this article is to demystify digital “signatures”.

In the paper world millions of paper documents are exchanged daily via Legal Post, Royal Mail, DX and so on. Why? You accept paper-based instructions because you are conditioned to make an indirect and subconscious assessment of the:

• Headed notepaper
• Style & Signature
• Presentation and other features
• Trustworthiness of the sender

If the envelope is sealed, you assume the contents are still intact and confidential.

All this happens instantly as the document is opened, read and interpreted. Doubts can be resolved with comparison to previous documents, the signature can be compared to a known predecessor or a confirmation phone call could be made to the sender. You could even personally visit the offices of the sender to confirm: but who has ever done that? If the integrity of the packaging has been compromised or is suspect the recipient can immediately alert the sender.

It can be argued that in the electronic, e-mail world this comfort factor is less easy, and less intuitive to grasp. Because –

• There may be no opportunity nor time to meet
• Instructions may come from someone you don’t know
• There is no damaged packaging to alert you to hacking and lack of confidentiality

But think about it. In the e-world sending e-mail is like sending a postcard through the mail system. It can be read, copied, changed, added to, examined etc. as it passes through sorting offices. You wouldn’t send your clients letters on a postcard. And this is why increasingly solicitors are adapting to and adopting new technology, seeing and benefiting from increased usage of electronic communications. Benefits include:

• Reduced Office Administrative Costs
• Reduced Post Costs (DX, LP, Royal Mail)
• Responding to client demand
• Faster turnaround times

So how do solicitors operate in an e-world whereby instructions, issued electronically (eg in e-mail), will be immediately trusted and treated as if they had been presented as an original paper document?

Clinging to paper might be easier and more comfortable for you. But it is unlikely to give you a competitive edge. The Law Society of Scotland believes IT and electronic communications offer significant advantages and wants to ensure the profession is best placed to take maximum advantage of these.

People need to know that their e-mails and web traffic will stay confidential. Building a trusted electronic environment requires a number of skills in addition to technical know-how. There are three cornerstones, which are fundamental to the process and solicitors have an advantage in two of them:

1. Creation of a trusted environment using Public Key Infrastructure (PKI) technologies
2. Legislation and Regulation
3. Laws of Evidence

It would be easy if all the issues could be purchased shrink wrapped from a local IT store but the Society can support and assist in this area. By taking a profession-wide view the Society can address all three cornerstones for the benefit of all. The remainder of this article looks at PKI.

A Trusted Environment built on Public Key Infrastructure (PKI)

Some marketing gurus hold that that lawyers sell trust, not knowledge of the law; in the same way that Black & Decker sell perfect holes, not drills. Trust is everything in the legal profession. Preserving trust and confidence within the electronic environment can be addressed using PKI techniques.

PKI is really a fancy name given to the collective package of:

• Software
• Technicalities
• Procedures
• Administration and documentation

In combination these provide a secure and trusted environment for electronic-based communications. PKI is much more than a simple software product.

Fundamental to the operation of PKI is the concept of electronic public and private keys. A short explanation is required here to aid understanding with regard to the operation of these keys.

Public and private keys are manufactured simultaneously and operate as a pair. They are useless with out each other. Public keys can be distributed to everyone and indeed they should be; private keys must be kept to oneself. Perhaps one day soon, all Scottish solicitors will have their public keys posted on the Law Society website! When I wish to send you a message securely I use your public key to encrypt the message and send it to you in the knowledge that only you with your secret private key can decrypt it (i.e. no one else can have read it). Additionally I can sign a message with my private key and send it to you. You can confirm it was me, and only me, who sent it, by using my public key to analyse my signature.

Assuming that keys are issued, managed and administered in a tightly controlled way to a given community, trust and confidence follows within that community when using keys to securely exchange information. PKI is the infrastructure, which brings that control for issuing, managing and controlling keys and educates users in the operation of the system.

The Law Society of Scotland wishes to support the profession by setting up a PKI infrastructure for the profession to use.

Why and What is The Law Society of Scotland doing about this?

There are sound business reasons for the Society to pursue this initiative on behalf of the profession:

• Natural Role extension
• Fragmentation and Avoidance of incompatible solutions
• Consistency In Operation
• Reliable interoperability and acceptance with other systems (e.g. SLAB, ARTL)

The Society already maintains the definitive register of solicitors. It issues Practising Certificates. A natural extension of this is to issue ‘electronic certificates’ or ‘keys’. Issuing keys within a rigorous PKI infrastructure against the definitive register (which no other provider can do) maintains trust and integrity when using and receiving certificates.

Further concerns are fragmentation. Fragmentation leads to uncertainty. Do we really want fifty different PKI systems in use amongst Scots lawyers? With just one system, trust can be maintained, understood and ensured. Consistency in operation, management, and certificate issue etc. is ensured. Users of the system will be comfortable to accept and recognise certificates of other users, because they understand the rigorous rules of the system. The Society can also manage interoperability with other systems on behalf of users achieving an economy of scale which individual firms will not achieve.

The Society believes that by being proactive it will avoid the risk that a series of different incompatible solutions (i.e. a number of poorly thought out or implemented PKI infrastructures) will be randomly implemented. Firms should not be expected to study and understand the complexities or technicalities of PKI and it is crucial to avoid a situation where-by firms are pressurised to adopt a solution to suit the providers’ sales figures rather than one for the benefit of the profession.

In a fragmented solution none of this exists. Were there to be a number of systems and certificate providers how would you as a recipient of a secure e-mail know:

• Whether the key from a source can be trusted?
• Has the issuer of the key undertaken rigorous checks to ensure that the user of that key is who he claims to be?
• Is the sender a bona-fide solicitor in the first place?

The answer to these questions is “you don’t know”. With that lack of knowledge comes uncertainty. With uncertainty no trust can exist. Without that trust……what was it lawyers sold again? A free-for-all unfolding across the profession serves neither the interests of solicitors nor clients.

The Society has also been working closely with SLAB and the Registers of Scotland ARTL team (has your firm signed up to the pilot yet – if not why not?) who have initiatives to streamline their processes and make them more efficient. SLAB and ARTL will use the Society’s PKI solution to enable members access to their new developments.

What then has the Society been doing? More than you think,  probably.

Since July of this year a small project team headed by the Society’s IT Director, Gordon Brewster, has been assessing the market place. Detailed discussions have taken place with a number of providers. After site visits to the Netherlands Bar, the London Borough of Camden, and Scottish Amicable, an Invitation to Bid document was issued in September, which set out the requirements of the Society on behalf of its members. Five possible providers responded and an assessment panel selected a preferred provider. Detailed discussions are now under way with this company and a presentation to Council will follow shortly.

Marsh, the Society’s insurance broker, has been involved at all stages to ensure risk and relative indemnity insurance matters are addressed. Significant insurance and risk management issues arise in the project and Marsh will continue to be involved in discussions concerning these issues....(a fragmented solution with the profession implementing solutions independently and randomly will not address this very important issue).

Running in parallel with this, representatives of the project team have taken the opportunity to brief and consult with the profession. Presentations have been given at Nothing But The Net Conference, the Legal Aid Conference and the E-Commerce committee. This article is another part of the process and the authors welcome and encourage feedback from readers with regard to this initiative.

By undertaking this, the Society ensures an economy of scale. The provider will be mandated to provide:

• Profession wide technical training
• Road shows across Scotland to promote and increase awareness
• Comprehensive Help Desk for all users
• Verification of User Identity to secure trust
• Monthly reports to the Society on progress and performance

It is anticipated that this can be provided for a cost of under £1.50 per week per user in the first few years. Once awareness builds and the user base grows economies of scale become significant and the Society believes this can be provided for under £1 per week per user. A firm would immediately recover this cost through reduced DX, LP and Royal Mail charges and increased use of secure and signed e-mails (not to mention the savings in paper, envelopes and administrative time).

Gordon Brewster is Director of IT at the Law Society of Scotland. Paul Motion a partner with Ledingham Chalmers, Edinburgh and is the Convener of the Society’s E Commerce Committee. Both authors sat on the PKI assessment panel. The second part of this article is due to appear in February 2002 and will focus upon legal aspects of digital signatures.