Download - IBT- Electronic Commerce The Legal Infrastructure Victor H. Bouganim WCL, American University
IBT- Electronic CommerceIBT- Electronic CommerceThe Legal InfrastructureThe Legal Infrastructure
Victor H. Bouganim
WCL, American University
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 2
Problem 4.4Problem 4.4 Textbook, p. 166Textbook, p. 166
Professor Pedro (Brazil) buys books at rein.com (Germany), a company owned by rivers.com (USA).
Prof Pedro’s order triggered an automatic computer-generated order addressed to East Publishing Co., an American firm.
Prof Pedro personal information of his purchase sent to rivers.com for marketing purposes.
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 3
Class DiscussionClass Discussion
What are the legal issues, which are raised by these activities?
Are there any special issues, which are due to the fact that these activities are done with the aid and/or by computers?
What are the important distinctions, which should be made for the analysis of this problem?
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 4
E-Comm - E-Comm - Critical IssuesCritical Issues Identification of trading partners
and authentication Applicable rulesApplicable rules
Choice of Laws & Jurisdiction Contracts and Consumer Protection Privacy protection
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 5
E-Commerce - PhasesE-Commerce - Phases
Phase 2:
Tele-ShoppingTele-Shopping
Phase 1:
EDIEDI
Phase 3:
Electronic CommerceElectronic Commerce
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 6
Electronic CommerceElectronic Commerce
Contract formationacceptance offer
Full electronic commerce -’soft goods’
Payment performance order
eCatalogue
Deliveryof goods
Digi-cash payment
Tele-Shopping
Digital contract
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 7
E-Comm - Closed SystemsE-Comm - Closed Systems
trading partners are identified and known
a pre-defined contract set up the trade rules
typical systems– EDI - Electronic Data Interchange
– SWIFT - International Fund Transfer
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 8
E-Comm - Open SystemsE-Comm - Open Systems
open market trading for all
Global marketVirtual trading partnersMicro-Commerce
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 9
E-Commerce SystemsE-Commerce Systems
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 10
Law Reforms Principles - 1Law Reforms Principles - 1
Neutrality PrincipleLaws should work with whatever technology, science and commercial practices might develop.
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 11
Law Reforms Principles - 2Law Reforms Principles - 2
Non-discriminatory principle
Records, legal acts or authentication may not be denied legal effect, validity or enforceability solely on the ground that they are electronic.
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 12
International InitiativesInternational Initiatives
E-Commerce Model Law, 1996 E-Commerce
Committee
July 97 - White House paperUCITA - UETA, 1999
Digital Signature Act, 2000
Jul 95 - Information Society1999 - Digital Signature Directive
UNCITRALUNCITRAL
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 13
E-Commerce LegislationE-Commerce Legislation UNICITRAL Model Law on Electronic
Commerce 1996 UETA 1999
– Uniform Electronic Transaction Act Digital Signature Legislation
– Third Millennium Electronic Commerce Act 1999 UCITA 1999
– Uniform Computer Information Transaction Act– UCC Article 2B on licensing
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 14
Critical Legal TermsCritical Legal Terms
Re-definition of critical terms– writing– document– signature – bill– notice
etc.
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 15
Digital Signature - 1Digital Signature - 1
identify the messenger– unique to a person
– under one’s controlauthenticate the message
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 16
eSig - AttributioneSig - Attribution
"Attribution procedure" means a procedure to verify that an electronic authentication, display, message, record, or performance is that of a particular person or to detect changes or errors in information. The term includes a procedure that requires the use of algorithms or other codes, identifying words or numbers, encryption, or callback or other acknowledgment.
Sec. 102, Uniform Computer Information Transactions Act 1999
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 17
Digital Signature - 2Digital Signature - 2
achievable by employing public-key encryption– e.g. RSA algorithm– needs a trusted-third-party (TTP) or a
certification authority to be effective
Alternative - Bio-metric identity– e.g. Iris check or finger-print etc.
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 18
Simple EncryptionSimple Encryption
plain-text encrypt cypher-text
cypher-text decrypt plain-text
secret key
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 19
Public-Key EncryptionPublic-Key EncryptionRSA AlgorithmRSA Algorithm
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 20
The Need for Certification AuthoritiesThe Need for Certification Authorities The effectiveness of certification authorities are
based on trust Digital certificates are used to authenticate a
person or organization with a public key– The role of the certification authority is to provide
this link between a unique private/public key pair and the actual identity of a group or individual
– The certification authority actually provides certificates which are computer-based records that identify a subscriber and contain the subscriber's public key
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 21
Electronic Signature CertificationElectronic Signature Certification ”Certificate"
– means an electronic attestation which links signature-verification data to a person and confirms the identity of that person
“Certification-service-provider” – means an entity or a legal or natural person who issues
certificates or provides other services related to electronic signatures;
European Directive on a Community framework for electronic signatures (1999/93/EC, 13 December 1999)
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 22
Digital Certificate ProcessDigital Certificate Process A private/public key pair is generated on a trustworthy system. The public key along with personal identification information,
such as passport, birth certificate or drivers license, are taken to the CA.
The CA verifies the person's identity. The CA creates a digital certificate consisting of the person's
public key. This information is then digitally signed by the CA using the
CA's own private key. This allows anyone with the CA's public key to be able to decrypt the digital certificate and identify the sender.
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 23
Authentication ProcedureAuthentication Procedure
ProviderProviderCustomerCustomer
KeyKeyKeyKey
TTPTTPCertificationCertification
AuthorityAuthority
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 24
Authentication ProcedureAuthentication Procedure
ProviderProviderCustomerCustomer
TTPTTPCertificationCertification
AuthorityAuthority
Message + Key
Key
OK
Message + Key
Key
OK
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 25
Certification Authority PoliciesCertification Authority Policies
A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements.
Certificate policies allow infrastructures, Certification Authorities, and their subscribers to inter-operate at the appropriate trust levels.
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 26
TTP - Regulatory ModesTTP - Regulatory Modes
Private-sector-based supervision systems
Governmental supervision– CA Rules prescribed
in legislation
US: eSig Act– Does not regulate CA– Self regulated industry
e.g. Verisign
EU: DigSig Directive– Option between governmental
or self regulated supervision
State DigSig Laws– e.g. Utah, California
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 27
Digital Signature State LegislationDigital Signature State Legislation
Utah – Most of Utah's bill deals
with the regulation of certification authorities.
– Utah's Digital Signature Act specifies the required use of public/private cryptography as a way of safely transferring information.
– Only lawyers and banks will be allowed to function as certification authorities.
California– California Digital
Signature Regulations
– “Certification Authority" means a person or entity that issues a certificate, or in the case of certain certification processes, certifies amendments to an existing certificate.
– The Regulations define the requirements for CA
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 28
EU - CA RegulationsEU - CA Regulations Directive 1999/93/EC of the European Parliament and
of the Council of 13 December 1999 on a Community framework for electronic signatures.
Set-up the rules and requirements for the operation of CA
– Annex II of the Directive– Article 8 - Data protection
Member States shall ensure that certification-service-providers and national bodies responsible for accreditation or supervision comply with the requirements laid down in Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 29
EU - Requirements for CA - 1EU - Requirements for CA - 1
ensure the operation of a prompt and secure directory and a secure and immediate revocation service
ensure that the date and time when a certificate is issued or revoked can be determined precisely
verify, by appropriate means in accordance with national law, the identity person to which a qualified certificate is issued
© 2001 Victor H. Bouganim, WCL, American University IBT - Intro - 30
EU - Requirements for CA - 2EU - Requirements for CA - 2
employ personnel who possess the expert knowledge, experience, and qualifications necessary for the services provided
use trustworthy systems and products which are protected against modification and ensure the technical and cryptographic security of the process supported by them
take measures against forgery of certificates, and guarantee confidentiality