The concept of trusted services forms a key issue for any kind of electronic service, developing at a large scale. At ITIS-ITAB'99, Mr. Robbert Fisher, consultant at Price/Waterhouse/Coopers in Luxembourg, highlighted the current business perspectives of the European trusted services market. In tele health care as in other kinds of services delivered via open networks, security plays a dominant role. The Business Environment Study of Trusted Services (BESTS) indicates that trusted services are essential for Europe's growth into the information society, and that therefore it should have native competence in trusted services. How can it be explained that Europe seems to be lagging behind North America?
The key elements of security include full integrity of the message content, confidentiality, access control, identification and authentication of the sender, and non-repudiation to prove that the message really has been sent. The existing trusted services are very much based on the certification method, in which a specific key as a unique code is linked to an entry, which could be an organization or an individual. The asymmetric system of public key encryption forms the main technological development of the last years. The system consists of a public and private key to make each transaction as safe as possible. Certification involves a variety of services, ranging from the digital signature in a document linking to a specified key; key issuance and revocation; key escrow as a means of access in case of legal requirements; over the registration of public keys to a time stamp on documents and cross certification to obtain access to your medical records wherever you are.
The certification authorities are responsible for issuing the certificates while the registration authorities are charged to control the physical identity of the certificate holder. There are three models of public key infrastructure (PKI). The open system provides access to any user, the closed system can be used in companies or hospitals to supply information to specified users, while the member certificate system will be most applied in the future to offer unique access to a specific user or patient, strongly related with the organization or hospital.
The BESTS study was carried out during 1998 for the European Commission under DG XIII to investigate the elements impeding businesses from entering the European Trusted Services (ETS) provision area, to identify bottlenecks, and to propose scenarios for creating a favourable business environment for ETS service providers. Three major issues were tackled in the BESTS study, namely the aspects of the present international environment, giving rise to uncertainties and risks for the business community; the factors preventing European businesses from entering into and remaining profitable in the TS industry, which is the so-called chicken and egg situation of how to act with non-existent regulation; and the role of government as a provider of a legal and regulatory business environment, but also as a major player in the field.
Although BESTS is ultimately a business-oriented study, it integrates three other basic components, which are technical, legal and government related. As such, the study inquires into which extent technologies, like networking and cryptography, have sufficiently developed and matured, as well as which technical issues might hinder further development. At the legal level, most of the legislation is still valid but the existing laws need to be expanded. The study equally determines in which areas wholly new laws have to be created. As far as the national and supra-national governments are concerned, they have a double role as a market player, providing and using trusted services internally, and as a regulator.
In collaboration with Rand Corporation, Mr. Fisher and his team worked out a scenario gaming to project invited experts from around the world, who are familiar with trusted services, into the fictional future of 2005. The attendees were asked to envision four potential realities of growth, stagnation, decline, and maturity. The analysis resulting from this role playing, has amounted in a number of top 10 findings. With relation to the certification authorities, it seems they won't be the pre-dominant model in the future anymore. Instead, a "branding registration authority" (RA) will convey the brand at street level to the consumer. As a matter of fact, he is not interested to learn that the mechanics of certification and related activities are handled by one of a few large certification authorities.
The consumer has a tendency to trust brand names. If owners of a globally recognized, trusted and admired brand name distribute solid, well-known goods and services, the consumer is not sure whether the provided electronic services are secure, but he simply trusts the organization. The infrastructure costs may be deceptively cheap when only taking into account the technical implementation, but a high level of service has to be guaranteed throughout the entire business cycle and this might be pretty expensive. In the single-user market, it is not easy to differentiate between two certification services. Mr. Fisher refers to the Pepsi and Coca Cola situation where differentiation has become impossible. Here, the additional services will form the key issue.
As for the user education, the acquisition, payment, confirmation, use and management of certificates are relatively mysterious and invisible to users. In fact, the education problem stretches out to the whole chain of insurance companies, potential private-label clients, integrators as well as consultants. This is what is meant by alliance education. With regard to the degradation of consumer confidence, the industry is less scared of getting high claims and paying money, than of being involved in a lawsuit altogether, since this entirely destroys the consumer's trust. Regulation is a problematic issue as it constitutes the major barrier for proper development of trusted services. Market stimulation by government is an excellent tool for building a critical mass of users and trust, especially in the health care sector.
Mr. Fisher concludes that e-commerce and e-services are really taking off to such an extent that all of them need trusted third party services to organize their business in a proper way. The main players traditionally consist of the certification authorities, insurance companies, post and telecommunication services, government, banks, chambers of commerce, and so on. Although regulation is still very unclear, many pilots are launched but there are very few real implementations at the moment. In any case, Mr. Fisher anticipates that trusted services are entering into a growth market. The full BESTS final report and executive summary can be found at the BESTS home page.