Conclusions

This chapter demonstrates that, in both law and security, there can be no unthought absolutes:

• Legal security is holistic.

• Security also depends on cultural mores. (Consider the security anomaly that is off-site electronic voting.)

• The best security is designed to fail.

Legal Security Is Holistic

In line with the “padlock on a paper bag” axiom, there is little point in applying all or any of the preceding security measures to a systems architecture that is itself legally vulnerable in other ways. For instance, you may wish to configure your system automatically to send copies of signed data to an Oracle database to ensure efficient storage and subsequent data interrogation.

Further, for litigation planning, you may also wish to generate digitally signed audit trails. Many applications keep logs of their activities; for example, “signed document on 12/12/2002 at 12:10 p.m.; sent document on 12/12/2002 at 12:11 p.m.” Such log files should also be digitally signed, ideally using a tamperproof hardware device.

Effective Security Depends on Shared Cultural Assumptions

Most prison security systems depend heavily on the cultural assumption that prison wardens are not motivated to release prisoners. Since the majority of wardens obviously are not so motivated, the prison security system works. ATM machine security depends heavily on a common-sense materialistic assumption that it is not in our interests to reveal our ATM card PINs. That assumption is overwhelmingly correct; and, again, the system works. Digital signature security, like credit card security, depends on an equally common-sense assumption that it is not in our best interests to allow our private key to fall into third-party hands, thereby running the risk of incurring fraudulently attributed contractual liabilities to unknown parties.

Such assumptions disintegrate in the case of electronic voting in political elections, where such voting is carried out away from a polling booth. From a straightforward technical security perspective, electronic voting is problematic in any event. Contracting parties use digital signatures to bind contractual obligations to named individuals. By contrast, online voters are at pains to remain anonymous. Further, contracts usually exist in a wider context. That context can be a telling source of corroborative evidence to settle a contractual dispute. However, online voting is a once-off event—it is deliberately designed so that there should not be any corroborative evidence of a voter’s intentions.

Arguably however, off-site online political voting’s greatest security threat is a cultural one: voter apathy. In the West, a significant minority of potential voters is alienated from party politics. They do not vote. They have no incentive to maintain the security of their online votes. In fact, they have every incentive, particularly in marginal constituencies, illegally to sell their votes to unscrupulous party activists.

Strong security and effective policies can guard against identity theft to a court’s satisfaction. However, where a politically indifferent and mercenary voter is voting unsupervised, there is little that even the best security can do to prevent fraudulent identity selling. Once such voter fraud is credibly alleged, a court may have to draw the usual obvious and damning conclusions about motive and opportunity. It is difficult to see how any binding democratic process could be founded on such uncertainty.

The foregoing is certainly not to decry security generally, nor to seek in any way to diminish its usually positive legal effects. It simply serves to illustrate that law and technology both exist in a cultural context. This theme—that legal security is a managed, holistic process—runs through this entire chapter. The fact that off-site electronic political voting can be fatally compromised by something as un-technical as a countervailing popular culture simply serves to highlight the importance of maintaining an aggregate approach to legal security.

The Best Security Is Designed to Fail Successfully

Chapter 2 used the sealed bunker analogy to demonstrate that a hermetically sealed security system is, paradoxically, an unusable security system. Equally, law must always be arguable to some extent if it is to avoid degenerating into fascism. Instead of casting about for a nonexistent technical silver security bullet, the real-world issue for both law and security is a pragmatic matter of deciding to what extent a security infrastructure can and needs to be resistant to technical attack, or to subsequent legal challenge.

This legal pragmatism is already at work in online security. We have seen, for instance, that the legal effectiveness of a digital signature is mutable—its legal force is in part dictated by the effectiveness of a people-dependent security policy that determines how the private key should be allocated and stored. Proportionality and context can also be critical factors. We have also seen how, in a consumer-to-business context, one-way SSL security is technically and legally adequate, but that it would fail to meet reasonable legal expectations about authentication and proof in a business-to- business context.

Security risks, and their attendant legal risks, are no different from any other risks. They can be managed, but short of ceasing all online activity, they cannot be eradicated. Perhaps the best analogy is vehicle safety. Certain automobile manufacturers concentrate on “passive safety” such as airbags and crumple zones. Other more thoughtful manufacturers lay equal stress on “active safety” such as agile and secure handling, efficient interior ergonomics to reduce driver fatigue, and powerful engines to allow for safer overtaking maneuvers.

The danger with passive safety is that it engenders complacency. The driver retreats into a cocoon and expects/hopes that the barrier security devices will be proof against all external attacks from other road users. This is a “wait and hope” policy. In other words, it’s no policy. By contrast, a driver who has learned to rely on active safety is fully alive to the constant possibility of danger and is, as a result, better prepared to take early and effective preemptive action.

Similarly, the best security professionals will never claim to have eradicated risks. A keen awareness of the possibility of failure guards against complacency and ensures that any security failure will be a managed failure. We can best control the security and legal consequences of an anticipated and managed failure. We are relatively helpless in the face of an unexpected failure.

Accordingly, the challenge for security professionals is to implement security measures that take equal account of technical, people-dependent, legal, and cultural contingencies—and that apply these thoughtfully to particular situations. The law does not expect that we can create failproof systems. No court would even give any credence to such a wild claim. However, the law does expect that security professionals will implement security measures that

• Demonstrate a clear understanding of the core legalities that must be secured

• Are capable of keeping security attacks to a de minimis level

These are not the stuff of absolutist or extravagant “snake oil” ambitions. They are realistic and achievable goals. We have already noted how, from a legal standpoint, the perceived statistical likelihood of an attack could be as damaging as an actual attack. However, provided we can achieve such goals, our security will have secured the legal components of a contract in the first place; and by keeping successful physical attacks to a de minimis level, our security will also have negated even the possibility of any retrospective legal challenge that would seek to attack a particular contract by discrediting an entire architecture.

In legal security, the possibility of failure is, paradoxically, our most effective security ally.