This report proposes a `Consumer Protection Act for Digital Products' to support electronic commerce and to control the increasing abuse and lack of security on the national information highways. Patterned after the `Food and Drug Act of 1906 (21 USC)' and subsequent legislation, a new agency similar to that of the FDA would have the authority `to develop administrative policy with regard to the safety, effectiveness, and labeling of digital products and their communications for human use, and to review and evaluate new applications of such products.' Specifically, it is proposed that standards, originally developed by the defense industry for the labeling, enveloping, and authentication of digital products delivered to the Government, be extended to promote global electronic commerce by protecting the intellectual property rights of producers, establishing their liability for the end-use of digital products, and give consumers means for informed decision making and purchase.
New federal standards for the protection of sensitive data now make it possible to ensure the authenticity, integrity and confidentiality of digital products, and non-repudiation of digital telecommunications.
Under review and comment since 1991, the new Federal standards were confirmed this year and provide standard means for the protection of voice and data communications from accidental and wilful abuse. The standards are initially tailored to protect only ‘sensitive-but-unclassified’ (SBU) data in compliance with the Computer Security Act of 1987. These data represent the majority of transactions in electronic commerce, including sensitive procurement information, trade secrets, financial data, product definitions, and company-proprietary information classified as ‘intellectual property.’ Harmonization of the new standards with international requirements is in progress.
In the United States, the confirmation of the basic standards marks the beginning of a long-range program to assure discretionary and mandatory access controls to digital resources. Upwards compatibility into the classified domain with multi-level security is a core requirement of the National Information Infrastructure.
In this report we review the powerful capabilities of standard Public-Key-Cryptology, the availability of commercial and Federal products for data protection, and make recommendations for their cost-effective use to assure reliable telecommunications and process controls.