The Internet, and the World Wide Web in particular, has been trumpeted for two years as one of the key places to conduct business in the 1990s. However, despite large investments by a great number of firms, on-line commerce is only a fraction of what it was projected to be by this point. Estimates suggest that only about 3 percent of business purchases, key to any retail market, are conducted on-line. The promised advent of e-commerce appears to be a white elephant.

However, when you ask businesses and consumers why they do not use the Internet for purchases, there is a recurring theme in their responses. People are concerned that the information they send across the net will not be secure. There is a tendency, given this uncertainty about security, to use existing means of purchasing—especially for work-related items. Although there is yet to be a documented case of fraud from e-mail interception of a credit card number, this wariness is prudent. In business terms, it is generally better to be safe than sorry, and until this concern is addressed, e-commerce will remain a niche market.

Early on in the development of net commerce, computer programmers responded to these security concerns by designing encryption keys, or codes, that allow users to share data privately. Using these codes, only the person transmitting the data and the person receiving the data have the ability to read an encrypted message. Codes now exist that are technically very difficult, and economically prohibitive, to crack. The only problem is that, until very recently, using these codes was illegal.

The Internet was originally developed in the United States, and to this day it remains the most wired nation on Earth. It has the highest proportion of its citizens on-line. As a result, regulations that affect the net in the US have a significant effect on Internet users around the world. Under regulations that were devised for the Cold War, the export of what is called "strong encryption" was restricted in the United States. Concerned that potentially unbreakable codes could fall into the hands of the enemy, the U.S. prohibited the export of any encryption software beyond a certain level of complexity. Encryption programs are currently treated under US law like munitions, and under these laws the export of strong encryption is the equivalent of international arms smuggling.

Now, since the Internet is borderless, this means that any strong encryption developed could not be used on the World Wide Web, the place where it is most needed. If you were to provide strong encryption to users of your Web site, you would first have to make sure that your customer was an American. This, as one might imagine, is difficult to do, so very few codes were made available on-line. E-commerce was stopped dead in its tracks.

Fortunately, market forces came to the rescue. Seeing an opportunity to grab the world market in encryption services, computer programmers around the world have raced to provide their own encryption systems. For example, Germany's Brokat and Siemens Nixdorf are aggressively promoting encryption products that are much stronger than those that US companies can export. Another successful encryption firm based in Russia has a staff composed of computer scientists who used to work for the Soviet space program. A number of Canadian firms have entered the market as well, since NAFTA provides Canada with a particularly advantageous jurisdictional position.

Computer programmers in the United States raised the alarm. One group, the Information Technology Association of America (ITAA), has been lobbying on Capitol Hill for months to end the regulation of encryption. As their president put it, "Every day that goes by translates into a loss of market share and loss of US jobs." The ITAA's solution to this problem was to de-regulate the export of encryption.

There were, however, powerful actors in Washington supporting the law. The Federal Bureau of Investigation argued that access to encrypted documents was an important tool in domestic intelligence gathering. The FBI suggested that strong encryption could be made available, but only if they were assured access to the keys. This would have the effect of creating a broad international wiretapping ability for the FBI. Of course, the FBI made assurances that no encrypted e-mail would be opened without law enforcement first obtaining a warrant. However, it is unlikely that if the FBI wanted to open an e-mail in a non-US jurisdiction, such as Canada, it would first seek a warrant.

So the Internet was at a crossroads. Two competing views of Internet security were being put forward, one which maximized the privacy of the individual, and one which maximized the law enforcement and security powers of the state.

Not willing to wait for the government to sort out which way it was going to go, a handful of US software developers began distributing their own strong encryption keys. One such programmer, Professor Daniel Bernstein, was charged with violating the export restrictions by the Commerce Department. This dispute ultimately ended up in federal court in San Francisco, and was ultimately decided in the professor's favour. In her ruling, the judge ordered the government not to prosecute the plaintiff, and those who use or publish his encryption software. "The court declares that the Export Administration Regulations . . . insofar as they apply to or require licensing for encryption and decryption software and related devices and technology, are in violation of the First Amendment on the grounds of prior restraint and are, therefore, unconstitutional," she said.

It appears that this ruling will stick. The underpinning of the ruling, which confirms that computer programs are "literary works," and as such are protected under the First Amendment, is an argument that many analysts have indicated will be persuasive to higher courts. This, accompanied by the clamouring for the opening up of encryption markets by groups like the ITAA, will likely ensure that the ruling is upheld, removing the last remaining barrier to secure net commerce, and opening up the world market in encryption.

An interesting aside is that the basic information that one needs to create strong encryption has been available for years. The process of creating a code cannot itself be secret if you want people to begin developing its use as a tool. The code protocol must be public, while the specific encoding for a document remains secret to all but the users. This is what is meant by the term "public key encryption." Think of it as a door lock. The locking system is available to anyone, but the specific key is different from home to home.

Whether or not this ruling had been made, it seems that the information to make strong encryption would have continued to be sent around the net, making enforcement of the law impossible. Encryption would eventually have become commonplace, and net commerce would have emerged. So in the end, the Internet eventually would have liberated itself. By making this wise ruling, however, Judge Patel has achieved this objective in a much more efficient manner. The net is finally open for business.