Further, for litigation planning, you may also wish to generate digitally signed audit trails. Many applications keep logs of their activities; for example, “signed document on 12/12/2002 at 12:10 p.m.; sent document on 12/12/2002 at 12:11 p.m.” Such log files should also be digitally signed,
using a tamperproof hardware device.
Effective Security Depends on Shared Cultural Assumptions
Most prison security systems depend heavily on the cultural assumption that prison wardens are not motivated to release
. Since the majority of wardens obviously are not so motivated, the
security system works. ATM machine security depends heavily on a common-sense materialistic assumption that it is not in our interests to reveal our ATM card PINs. That assumption is overwhelmingly correct; and, again, the system works. Digital signature security, like credit card security, depends on an equally common-sense assumption that it is not in our best interests to allow our private key to fall into third-party hands, thereby running the risk of incurring fraudulently attributed
liabilities to unknown parties.
Such assumptions disintegrate in the case of electronic voting in political
, where such voting is carried out away from a polling
. From a straightforward technical security perspective, electronic voting is
in any event. Contracting parties use digital signatures to bind contractual obligations to named individuals. By contrast, online voters are at pains to
anonymous. Further, contracts usually exist in a wider context. That context can be a telling source of corroborative evidence to
a contractual dispute. However, online voting is a once-off event—it is deliberately designed so that there should not be any corroborative evidence of a
Arguably however, off-site online political voting’s greatest security threat is a cultural one: voter apathy. In the West, a significant minority of potential voters is alienated from party politics. They do not vote. They have no incentive to maintain the security of their online votes. In fact, they have every incentive, particularly in marginal constituencies, illegally to sell their
to unscrupulous party activists.
Strong security and effective policies can guard against
’s satisfaction. However, where a
indifferent and mercenary voter is voting
, there is little that even the best security can do to prevent fraudulent
. Once such voter fraud is credibly alleged, a court may have to draw the usual obvious and damning conclusions about motive and opportunity. It is difficult to see how any binding
process could be founded on such uncertainty.
The foregoing is
not to decry security
, nor to seek in any way to diminish its usually positive legal effects. It simply serves to
that law and technology both exist in a cultural context. This theme—that legal security is a managed, holistic process—runs through this entire chapter. The fact that off-site electronic political voting can be fatally compromised by something as un-technical as a countervailing popular culture simply serves to highlight the importance of maintaining an aggregate approach to legal security.
The Best Security Is Designed to Fail Successfully
Chapter 2 used the sealed bunker analogy to
that a hermetically sealed security system is, paradoxically, an unusable security system. Equally, law must always be arguable to some extent if it is to avoid degenerating into fascism. Instead of casting about for a nonexistent technical silver security bullet, the real-world issue for both law and security is a pragmatic matter of deciding
to what extent
a security infrastructure can and needs to be resistant to technical attack, or to subsequent legal challenge.
is already at work in online security. We have seen, for instance, that the legal effectiveness of a digital signature is mutable—its legal force is in part dictated by the effectiveness of a people-dependent security policy that determines how the private key should be allocated and stored. Proportionality and context can also be critical factors. We have also seen how, in a consumer-to-business context, one-way SSL security is technically and legally adequate, but that it would fail to meet reasonable legal expectations about authentication and proof in a business-to- business context.
Security risks, and their attendant legal risks, are no different from any other risks. They can be managed, but short of ceasing all online activity, they cannot be eradicated. Perhaps the best analogy is vehicle safety. Certain automobile manufacturers concentrate on “passive safety” such as
and crumple zones. Other more thoughtful manufacturers lay equal stress on “active safety” such as agile and secure handling, efficient interior ergonomics to reduce driver fatigue, and powerful engines to allow for safer overtaking maneuvers.
The danger with passive safety is that it engenders complacency. The driver retreats into a cocoon and expects/hopes that the
security devices will be proof against all external attacks from other road users. This is a “wait and hope” policy. In other words, it’s no policy. By contrast, a driver who has learned to rely on active safety is fully
to the constant possibility of danger and is, as a result, better prepared to take early and effective preemptive action.
Similarly, the best security professionals will never claim to have eradicated risks. A keen awareness of the possibility of failure
against complacency and ensures that any security failure will be a
. We can best control the security and legal consequences of an anticipated and managed failure. We are relatively helpless in the face of an unexpected failure.
Accordingly, the challenge for security professionals is to implement security measures that take equal account of technical, people-dependent, legal, and cultural contingencies—and that apply these thoughtfully to particular situations. The law does not expect that we can create failproof systems. No court would even give any credence to such a wild claim. However, the law does expect that security professionals will implement security measures that
These are not the stuff of absolutist or extravagant “snake oil” ambitions. They are realistic and achievable goals. We have already noted how, from a legal standpoint, the perceived statistical
of an attack could be as
as an actual attack. However, provided we can achieve such goals, our security will have secured the legal
of a contract in the first place; and by keeping
physical attacks to a
level, our security will also have negated even the possibility of any retrospective legal challenge that would seek to attack a particular contract by discrediting an entire architecture.
In legal security, the possibility of failure is, paradoxically, our most effective security ally.